hellowin Privacy Policy

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:

• "Personal Data" means any information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
• "Sensitive Personal Information" means personal data about an individual's race, ethnic origin, marital status, age, colour, religious, philosophical or political affiliations; health, education, genetic or sexual life; proceedings for any offense committed; government-issued identifiers; and any specifically established by executive order or act of Congress.
• "Data Subject" means you — the natural person to whom the personal data relates.
• "Data Controller" means hellowin, which determines the purposes and means of processing personal data.
• "Data Processor" means any natural or legal person, whether private or public, who processes personal data on behalf of hellowin pursuant to a data processing agreement.
• "Processing" means any operation or set of operations performed on personal data, including collection, recording, organisation, storage, updating, retrieval, consultation, use, consolidation, blocking, erasure, or destruction.
• "NPC" means the National Privacy Commission of the Republic of the Philippines.
• "DPA" means the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.
• "Platform" means hellowin.asia and all associated digital services, including the hellowin mobile application.

hellowin is the Data Controller responsible for the personal data of players and visitors to the Platform. All decisions regarding the purposes and means of processing your personal data are made by hellowin or its authorised representatives.

hellowin has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this Privacy Policy and applicable data protection law. The DPO can be contacted using the details set out in Section 15 of this Policy.

hellowin collects personal data across the following categories:

hellowin collects personal data through the following channels and means:

• Direct provision by you: When you register an Account, complete KYC verification, make a deposit or withdrawal, contact customer support, or participate in promotions, you directly provide personal data to hellowin.
• Automated technical collection: When you access and use the Platform, hellowin's systems automatically collect technical data including IP addresses, device identifiers, and session logs. This data is collected through server logs, cookies, and similar tracking technologies as described in Section 8.
• Third-party payment providers: When you transact via GCash, Maya, or a Philippine bank, the payment provider transmits transaction confirmation data (not account credentials) to hellowin to facilitate deposit and withdrawal processing.
• Identity verification providers: hellowin may use third-party KYC services to assist in verifying identity documents. These providers process document images on hellowin's behalf under binding data processing agreements.
• Game providers: Certified third-party game providers supply aggregated game round outcome data to hellowin's platform for account crediting, dispute resolution, and regulatory reporting purposes.

hellowin processes your personal data only where a lawful basis for doing so exists under the Data Privacy Act of 2012. The applicable legal bases are as follows:

1. Contractual necessity: Processing required to perform our contract with you — operating your Account, processing your deposits and withdrawals, providing access to games, and delivering customer support.
2. Legal obligation: Processing required to comply with our obligations under Philippine law, including anti-money laundering (AML) requirements, PAGCOR regulatory obligations, and tax reporting requirements.
3. Legitimate interest: Processing carried out for hellowin's legitimate business interests, including fraud prevention and detection, platform security, responsible gaming monitoring, and product improvement, where these interests are not overridden by your rights and interests.
4. Consent: Processing for marketing communications, optional preference profiling, and any other purpose not covered by the above bases. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

hellowin uses your personal data for the following specific purposes:

• Registering, maintaining, and managing your hellowin Account.
• Processing deposit and withdrawal transactions via GCash, Maya, BDO, BPI, Metrobank, and other supported Philippine payment methods.
• Verifying your identity and age (21+ requirement) in compliance with KYC obligations.
• Complying with anti-money laundering (AML) obligations, including monitoring for suspicious transactions and reporting to the relevant Philippine authorities where required.
• Detecting and preventing fraud, account takeover, collusion, multi-accounting, and other prohibited conduct as defined in our Terms & Conditions.
• Monitoring gaming activity to identify potential problem gambling behaviours and applying responsible gaming interventions where appropriate.
• Providing customer support, resolving disputes, and handling complaints.
• Sending transactional communications — account notifications, deposit confirmations, withdrawal status updates — via SMS (Smart, Globe, DITO) and email.
• Sending marketing communications about hellowin promotions, new games, and bonuses, where you have given consent or where a soft opt-in applies under applicable law.
• Improving the Platform's performance, security, and user experience through analysis of aggregated and anonymised usage data.
• Fulfilling regulatory reporting obligations to PAGCOR and other competent Philippine authorities.

hellowin does not sell, rent, or otherwise commercially disclose your personal data to third parties. Personal data is shared only in the following limited circumstances:

• Payment service providers: GCash, Maya, and Philippine bank partners receive the minimum personal data necessary to process your transactions. These providers are bound by their own regulatory data protection obligations.
• KYC and identity verification providers: Third-party identity verification services process your identity document data on hellowin's behalf under binding data processing agreements that prohibit any use of your data for the provider's own purposes.
• Game technology providers: Licensed game providers receive session identifiers and betting data necessary to deliver the game experience and resolve disputes. They do not receive full account identity data.
• Cloud infrastructure providers: hellowin uses cloud infrastructure services to host the Platform. These providers store encrypted data on hellowin's behalf and are prohibited from accessing or using that data for any purpose other than infrastructure provision.
• Regulatory authorities: hellowin discloses personal data to PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission, and other competent Philippine authorities as required by law or in response to a valid legal process.
• Professional advisers: hellowin's legal, accounting, and auditing advisers may receive limited personal data to the extent necessary for the exercise of their professional services, subject to professional confidentiality obligations.

hellowin uses cookies and similar tracking technologies on the Platform for the purposes described in this section. A cookie is a small text file placed on your device by a website to store information about your interaction with that site.

• Strictly necessary cookies: Required for the Platform to function. These include session authentication cookies that keep you logged in to your hellowin Account. These cookies cannot be disabled without breaking core functionality.
• Performance cookies: Used to collect anonymised information about how players use the Platform — which pages are visited most, where players encounter errors, and how session flows perform. This data is used solely to improve the Platform.
• Functional cookies: Store your preferences such as language settings and responsible gaming reminders to provide a personalised experience between sessions.
• Security cookies: Used to detect and prevent fraudulent login attempts, bot activity, and suspicious session behaviour.

hellowin does not use third-party advertising or tracking cookies that would allow advertisers to profile you across other websites. You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will affect your ability to use the Platform.

hellowin retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following general retention periods apply:

• Account and identity data: Retained for the duration of the Account plus a minimum of 5 years after Account closure, in compliance with AML record-keeping requirements under the Anti-Money Laundering Act of 2001 (Republic Act No. 9160 as amended).
• Transaction and financial data: Retained for a minimum of 5 years from the date of the transaction, as required by Philippine AML and tax regulations.
• Gaming history: Retained for a minimum of 3 years from the date of each game session, for regulatory compliance and dispute resolution purposes.
• Customer support communications: Retained for 2 years from the date of the communication, or longer where the communication relates to an ongoing dispute or investigation.
• Technical and session logs: Retained for 12 months from collection, after which they are permanently deleted or anonymised.
• Marketing data: Retained until you withdraw consent or opt out of marketing communications, at which point it is deleted within 30 days.

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised so that it can no longer be associated with an individual.

hellowin implements technical and organisational security measures appropriate to the nature and sensitivity of the personal data it processes. These measures include:

• 256-bit SSL/TLS encryption for all data in transit between the Platform and user devices.
• AES-256 encryption for personal data stored on hellowin's servers and backup systems.
• Role-based access controls ensuring that hellowin staff can only access personal data required for their specific job function.
• Multi-factor authentication required for all hellowin staff accessing systems that contain personal data.
• Regular penetration testing and vulnerability assessments by independent security specialists.
• A documented data breach response procedure, including notification to the NPC and affected Data Subjects within the timeframes required by the DPA in the event of a qualifying breach.
• Annual security awareness training for all hellowin staff with access to personal data.

Under the Philippine Data Privacy Act of 2012, you have the following rights with respect to your personal data held by hellowin. These rights are enforceable and hellowin is required to respond to valid requests within 30 calendar days:

If you are a parent or guardian and believe that your child under 21 may have registered an Account with hellowin, please contact our DPO immediately using the details in Section 15 so we can take appropriate action.

hellowin's primary data processing operations are conducted within the Philippines. Where personal data is transferred to or processed in a jurisdiction outside the Philippines — for example, in connection with cloud infrastructure services or international game providers — hellowin ensures that appropriate safeguards are in place in accordance with the DPA and NPC Circular No. 16-01.

Such safeguards include:

• Binding contractual clauses in data processing agreements that impose DPA-equivalent protections on overseas processors.
• Transfer only to jurisdictions that the NPC has determined provide an adequate level of data protection, or where specific contractual safeguards compensate for any difference in protection levels.
• Ensuring that overseas processors are prohibited from further transferring personal data without hellowin's written authorisation.

hellowin reserves the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, or regulatory requirements. The effective date at the top of this Policy will be updated to reflect the date of the most recent revision.

Where a change is material — meaning it meaningfully affects how we collect, use, or share your personal data — hellowin will notify registered players via their registered email address or a prominent in-platform notification at least 14 days before the change takes effect. For minor or clarificatory changes, notification may be made by updating this page without separate individual notice.

Your continued use of the Platform after any revised Privacy Policy has taken effect constitutes your acceptance of those changes. We encourage you to review this page periodically. If you disagree with any change, you should cease using the Platform and contact the DPO to arrange Account closure and data handling in accordance with Section 11.

For any enquiries, requests, or complaints relating to this Privacy Policy or hellowin's data processing practices, please contact the hellowin Data Protection Officer through the following channels:

• Subject Line: Mark correspondence as "Data Privacy Request — [Your Account Reference]" for priority routing.
• Support Email: [email protected] (plain text — not a clickable link)
• Live Chat: Available 24/7 on the hellowin Platform. Indicate your query is a DPA/privacy matter for routing to the DPO team.
• Response Time: hellowin will acknowledge your request within 3 business days and provide a substantive response within 30 calendar days, as required by the DPA.

If you are not satisfied with hellowin's response to your privacy concern, you have the right to escalate your complaint directly to the National Privacy Commission of the Philippines. Information on how to file a complaint with the NPC is available on the NPC's official website.