Privacy Policy

This Privacy Policy ("Policy") is issued by sugal ("sugal," "we," "us," "our"), the operator of the online gaming platform available at sugal.win ("the Platform"), and governs the collection, use, storage, disclosure, and protection of personal information relating to registered players, prospective players, and visitors to the Platform ("you," "your," "Data Subject").

sugal is committed to protecting the privacy and personal data of all individuals who interact with our platform. This commitment is grounded in the Data Privacy Act of 2012 (Republic Act 10173) and its Implementing Rules and Regulations, issued by the National Privacy Commission (NPC) of the Philippines. Our data handling practices are also shaped by PAGCOR's licensing conditions, the Anti-Money Laundering Act (Republic Act 9160, as amended), and other applicable Philippine laws.

By registering on sugal, depositing funds, or otherwise using any feature of the Platform, you acknowledge that you have read and understood this Policy and consent to the collection and processing of your personal data as described herein.

For the purposes of the Data Privacy Act of 2012, sugal is the Personal Information Controller (PIC) in respect of all personal data processed in connection with the operation of sugal.win. This means sugal determines the purposes for which and the means by which personal data is processed.

Certain third-party service providers engaged by sugal to support platform operations — including payment processors, identity verification providers, and game software suppliers — act as Personal Information Processors (PIP) in respect of data processed on our instructions. These relationships are governed by written data processing agreements that impose obligations consistent with RA 10173.

sugal's designated Data Protection Officer (DPO) oversees compliance with this Policy and with applicable data privacy law. Contact details for the DPO are provided in Section 15 of this Policy. The DPO is reachable for all data privacy inquiries, data subject access requests, and complaints.

sugal collects personal data from you through several channels including account registration, identity verification, platform usage, and customer support interactions. The categories of data collected are as follows:

3.1 Registration and Account Data

3.2 Identity Verification (KYC) Data

3.3 Financial and Transaction Data

3.4 Gaming Activity Data

3.5 Technical and Usage Data

3.6 Communications Data

sugal processes your personal data for the following defined purposes:

sugal does not use your personal data for any purpose beyond those stated above without first obtaining your explicit consent, except where processing is required to comply with a legal obligation or to protect vital interests.

Under the Data Privacy Act of 2012, sugal processes your personal data on the following legal grounds:

• Contractual Necessity: Processing required to create and maintain your account, process deposits and withdrawals, and provide gaming services under the Terms and Conditions you accepted upon registration.
• Legal Obligation: Processing required to comply with PAGCOR licensing conditions, the Anti-Money Laundering Act, the Data Privacy Act itself, and all other applicable Philippine laws and regulations.
• Legitimate Interests: Processing for fraud prevention, platform security, responsible gaming monitoring, and internal analytics where these interests are not overridden by your privacy rights.
• Consent: Processing for optional marketing communications and non-essential cookies, where you have provided specific, freely given, and informed consent. Consent-based processing may be withdrawn at any time without affecting processing carried out prior to withdrawal.

sugal does not sell your personal data. We share your data only in the following circumstances and only to the extent strictly necessary:

• Payment Processors: GCash (Mynt / G-Xchange Inc.), Maya (PayMaya Philippines Inc.), BPI, BDO, Metrobank, and other payment service providers receive transaction-necessary data to process deposits and withdrawals. These providers are regulated by the Bangko Sentral ng Pilipinas (BSP).
• Identity Verification Providers: Third-party KYC and anti-fraud technology vendors process identity document images and biometric data on our instructions to verify player eligibility under PAGCOR rules.
• Game Software Providers: Providers such as JILI Games, Pragmatic Play, PG Soft, and Evolution Gaming receive pseudonymous session identifiers and bet data to power their games and detect irregularities. They do not receive your full personal identity data.
• Regulatory Authorities: PAGCOR, the National Privacy Commission, the Anti-Money Laundering Council (AMLC), and other competent Philippine government authorities may require disclosure of player data pursuant to lawful orders, regulatory inspections, or mandatory reporting obligations.
• Professional Advisors: Legal, accounting, and audit firms engaged by sugal may access relevant records under strict confidentiality obligations.
• Corporate Transactions: In the event of a business sale, merger, or restructuring, player data may be transferred to a successor entity subject to continuity of this Policy's protections and proper notification to affected data subjects.

sugal uses cookies and similar tracking technologies to operate and improve the platform. Cookies are small text files placed on your device by your browser when you visit sugal.win. The following categories of cookies are used:

• Strictly Necessary Cookies: Required for the platform to function. These include session authentication tokens, security cookies, and load-balancing identifiers. These cannot be disabled without preventing platform use.
• Performance and Analytics Cookies: Used to understand how players navigate and use the platform — for example, which games are visited most frequently, how long sessions last, and where errors occur. Data is aggregated and pseudonymous where possible.
• Functional Cookies: Remember your preferences such as language selection, preferred game view, and responsible gaming settings to improve your experience across sessions.
• Marketing Cookies: Used only with your prior consent to deliver relevant promotions and personalise offers based on your gaming preferences. You may withdraw consent for marketing cookies at any time through your account preferences.

You may manage your cookie preferences through your browser settings. Please note that disabling non-essential cookies will not affect your ability to access sugal's core gaming features, though some personalisation functions may be limited.

sugal implements a comprehensive set of technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These measures include:

• Transport Encryption: All data transmitted between your device and sugal servers is encrypted using TLS 1.2 or higher with 256-bit AES encryption, providing a security standard equivalent to Philippine banking platforms.
• Password Security: Account passwords are processed using industry-standard one-way cryptographic hashing with salting. sugal staff cannot retrieve your password in plaintext under any circumstance.
• Two-Factor Authentication (2FA): Players may enable SMS-based 2FA on their accounts, adding a second layer of authentication that prevents access even if login credentials are compromised.
• Access Controls: Access to player personal data within sugal is restricted to employees and contractors who require access to perform specific authorised functions. Access is logged and audited.
• Infrastructure Security: sugal's platform infrastructure employs firewalls, intrusion detection systems, DDoS mitigation, and regular penetration testing by qualified security professionals.
• KYC Document Security: Identity document images and biometric data collected during KYC are stored in encrypted, access-controlled vaults separate from general account data, with strict purpose limitation.

sugal retains personal data for as long as necessary to fulfil the purposes described in this Policy, comply with applicable legal and regulatory obligations, and resolve disputes. The following retention periods apply:

On expiry of the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be associated with an identified or identifiable individual.

Under the Data Privacy Act of 2012, you have the following rights with respect to your personal data held by sugal. These rights may be exercised by contacting the Data Protection Officer using the details in Section 15.

Requests to exercise your rights will be acknowledged within 3 business days and addressed within 15 business days. We may request proof of identity before processing a data subject access request to protect against fraudulent requests. If you are unsatisfied with our response, you have the right to lodge a complaint with the National Privacy Commission of the Philippines.

sugal does not knowingly collect personal data from persons under 21 years of age. The platform is strictly restricted to adults aged 21 and above as required by PAGCOR regulations and Philippine law.

If you have reason to believe that a person under 21 years of age has registered or attempted to register on sugal, please contact us immediately at [email protected]. We take underage gaming seriously and investigate all reports promptly.

Where sugal engages third-party service providers whose servers or operations are located outside the Philippines — including international game software providers, cloud infrastructure providers, or KYC technology vendors — your personal data may be transferred to and processed in jurisdictions outside the Republic of the Philippines.

Any such cross-border transfer of personal data is carried out in compliance with Section 21 of the Data Privacy Act of 2012 and the NPC's rules on cross-border data flows. Specifically:

• Transfers are made only to jurisdictions determined to provide an adequate level of data protection, or
• Where the receiving country does not provide equivalent protection, transfers are made subject to binding contractual clauses that impose obligations equivalent to RA 10173 on the recipient, or
• The transfer is necessary for the performance of a contract between you and sugal (such as processing a payment through an international payment network).

You may request information about the specific safeguards applied to any cross-border transfer of your data by contacting the Data Protection Officer.

In the event of a personal data breach — meaning any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data — sugal will respond in accordance with the Data Privacy Act of 2012 and the NPC's Circular on Personal Data Breach Management.

sugal's breach response procedures include:

• Containment: Immediate steps to contain the breach and prevent further unauthorised access or disclosure.
• Assessment: Risk assessment to determine the likely consequences of the breach for affected data subjects, with a specific evaluation of any resulting harm to Filipino players.
• NPC Notification: Where required by NPC regulations, sugal will notify the National Privacy Commission within 72 hours of becoming aware of a notifiable breach.
• Data Subject Notification: Where a breach is likely to give rise to a real risk of serious harm to affected players, sugal will notify those individuals using their registered contact details, providing information on the nature of the breach, the data affected, and the measures taken.
• Documentation: All personal data breaches are documented in sugal's internal breach register regardless of whether notification is required.

sugal reserves the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, or PAGCOR regulatory requirements. The "Effective Date" at the top of this document will be updated whenever a material change is made.

Material changes to this Policy that affect the rights of registered players will be communicated via email to the address registered on the player's account and/or through a prominent notice on the sugal platform, at least 14 days before the changes take effect where practicable.

Your continued use of the sugal platform after the effective date of any amended Policy constitutes your acceptance of the updated terms. If you do not accept the revised Policy, you should cease use of the platform and contact sugal to request account closure.

For all inquiries, requests, or complaints related to this Privacy Policy or the processing of your personal data, please contact sugal's Data Protection Officer:

If you are not satisfied with sugal's response to a data privacy complaint, you have the right to escalate your complaint to the National Privacy Commission of the Philippines, which is the supervisory authority for data protection matters under the Data Privacy Act of 2012. Information about how to file a complaint with the NPC is available through official Philippine government channels.