Privacy Notice

Welcome to RAFI Microfinance, Inc (“we,” “our,” or “us”). We are committed to protecting your privacy and safeguarding your personal information. This Privacy Notice explains how we collect, use, disclose, and protect your personal data in connection with our microfinance services. By using our services, you consent to the practices described in this Privacy Notice.

This Privacy Notice applies to individuals whether as:

• current, past, and prospective clients or
• non-clients – beneficiaries of the microfinance products and non-financial services we provide;
• visitors or inquirers at our branches and online channels; and
• other persons involved in the application of financial or non-financial services whether approved or rejected

• when you join as a member with RAFI MFI and participate in our activities
• when you register to our KaagapPay App,
• when you avail of our products and services, or contact us about them
• when you join in our community engagement activities (such as – but not limited to – center learning session as faculties, feeding programs, community outreach activities, medical missions, women’s reproductive health activities, skill-based training sessions such as cookery, tech-voc trainings, workshops, center advisory board activities, general assemblies)
• when you sign up with our trainings whether synchronous or asynchronous
• when you join our market linkages activities such as trade fairs and exhibits, reseller programs, Tindahan ni Nanay Facebook Page
• when you chat with our Chatbot or our live agents, we will store live chat transcripts.
• when you complete a customer survey or provide us with feedback
• when you choose to interact with us via social media, such as Facebook

We may also obtain your information from other sources (i.e., center leaders and members, publicly available platforms, financial institutions, microfinance institutions, credit agencies, public authorities, and other registers) for purposes of identity verification and credit evaluation).

Wherever we have collected it, we will treat sensitive Personal Information carefully.

1. Know-Your-Client (KYC) / Identification Data – refers to Personal Information and Sensitive Personal Information we collect when you join as a member of RAFI MFI such as full legal name, gender, date & place of birth, civil status, present address, government-issued identification numbers, contact number, dependents, number of years residing in your present address, business information such as business name, address, contact details, type of business, source of funds, gross annual income, number of years in operation and such other information necessary to conduct due diligence.
2. Transactional Data – refers to information when you contact us through our official channels such as branches, customer service hotline, web and mobile platforms.
3. Financial Data – this is the information about your credit history and capacity, and other financial products and services you have with us.
4. Behavioral Data – this refers to the customer segment you belong, usage of our products and services, the internet protocol addresses of your devices used to access our KaagapPay App, interests and needs you share with us.
5. Audio Visual Data – for security and improvement of our services, we process audio and video recordings of your interactions with us and surveillance videos at branches, subject to limitations imposed by law.
6. Minor’s, Incompetent’s and Person’s under Guardianship Data – we may collect information about minors (those below 18 years of age), incompetents and persons under guardianship if they have joined activities and programs with us (such as – but not limited to – Bugsay Scholarship Programs, Feeding Programs, medical missions, DACFTigom Panglawas) with parental consent or pursuant to legally-instituted guardianship proceedings or if you provide us with the same in relation to a product or service you signed up with us (i.e. when you register minors, incompetents and those under guardianship as beneficiaries to a service with us).

Sensitive Personal Data: we may require the following Sensitive Personal Information:

1.  your height & weight, occupation and nature of work as well as information of your beneficiaries, their age and their relationship with you when you apply for micro-insurance products with us;
2.  for customer verification, your government-issued identification numbers or cards such as passport or driver’s license ID;
3.  your medical history such as information regarding your health, medical conditions, medications, treatments, and other health-related information required to provide our services;
4. your training records such as information related to your training progress, performance, assignments, assessments, and any other data generated during your training;
5. photo & video documentations during community activities initiated by us;
6. any information that is necessary, incidental to contractual agreement or in connection with a requested product or service.

The foregoing data are collectively referred to as “Client Information.”

We ensure that only authorized employees and third-party service providers, who satisfy our legal and data privacy requirements, can process your data.

1. Data Storage

• • We store Client Information in secure and encrypted RAFI MFI-managed environments, devices, and media. For third-party managed environments such as cloud service providers, we employ security protocols prior to deployment.
  • We store physical copies of documents containing Client Information in locked cabinets.

2. Data Access

• • Client Information can only be accessed by authorized personnel on a role-based manner following the proportionality principle.

3. Data Use

1. 1. Client Engagement
      • We use your contact details with us to communicate with you about your relationship with us, and to undertake activities related to the provision of services including, but not limited to, customer service and conduct of surveys, the provision of research reports, other product related materials, and administration of awards.
      • We may send you email or mobile notifications, telephone calls, or newsletters about product and services enhancements.
      • We use your contact details to contact you to verify your identity.

      You have the right to opt out from these forms of communication or choose another means through which we can contact you.

   2. Marketing
      • We may use your information to send out campaigns of other microfinance products and services.
      • We want to establish a more personalized relationship with you by providing offers that suit your financial and household needs.

      You have the right to withdraw your consent and opt out of our offers.

   3. Due Diligence and Regulatory Compliance
      • We may use Client Information to evaluate your eligibility for RAFI MFI’s products and services. In assessing your ability to repay your loans, we conduct credit and background investigation and reporting on your
        credit history and account updates.
      • We process Client Information in compliance with legal obligations and statutory requirements by MNRC, and other regulatory agencies, including assisting other microfinance institutions to conduct background or
        credit checks.
   4. Business Insights
      • We perform data analysis and reporting based on your Client Information to aid our management make better decisions.
      • We carry out compliance review or testing, internal audits or enable the conduct of external audits to aid us in improving our financial and non-financial services.
   5. Data Quality
      • We shall obtain additional information about you from government institutions or credit bureaus to improve the quality of your Client Information with us. We may contact you to ensure accuracy and integrity of your
        information in our data processing systems.
   6. Remedies and Verification
      • We may use Client Information to enforce (including without limitation collecting amounts outstanding) or defend the rights of RAFI MFI and/or any, its employees, officers, and directors, contractual or otherwise.
      • We need to verify the identity or authority of your family members, friends, beneficiaries, attorneys, attorneys-in-fact, and other individuals, representatives who contact RAFI MFI or may be contacted by RAFI MFI to
        carry out or respond to requests, questions, or instructions from verified representatives or other parties.
   7. Pay-It-Forward Activities
      We use your information for the following purposes:
      • To assess your healthcare needs and deliver appropriate medical care during our missions.
      • To facilitate your medical treatment, including diagnosing conditions, providing medical care, and coordinating follow-up care if necessary.
      • To provide you with training programs, materials, and support services, whether through synchronous or asynchronous methods.
      • To evaluate your training progress, provide feedback, and adjust our services accordingly.
      • To communicate with you regarding our non-financial services, training updates, other healthcare- related information.
      • To analyze data for quality improvement, research, and development of our non-financial services.

4. Data Retention

For financial data and documents which indicate taxable transactions, data shall be preserved for ten (10) years per BIR regulation. We keep your data as long as it is necessary:

1. For the fulfillment of the declared, specified, and legitimate purposes, or when the processing relevant to the purposes has been terminated;
2. For the establishment, exercise, or defense of legal claims; or
3. For legitimate purposes, which shall be in accordance with the standards of the microfinance industry.

Loan-related transactions shall be retained for five (5) years from the date of the transaction, except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.

Data collected alongside financial data such as Poverty Index, Social Performance Indicators, and Proficiency Placement results will be retained for ten (10) years.

Photos collected from events as well as performance tasks and attendance
sheets will be retained for five years from the date of the transaction or event.

5. Data Disposal

After the expiration of the imposed retention period, we dispose of personal data in a secure manner to prevent further processing, unauthorized access, or disclosure. Client Information and the client’s right to data deletion are subject
to data retention requirements and certain limitations under regulatory requirements.

We can only exclude you from receiving marketing notifications by emailing RAFI MFI’s Data Protection Officer at
rafimfi.dataprivacy@rafi.ph. The request shall be processed after submission of your formal written request. You will be informed of the limits and bounds, and consequences of such request.You likewise understand that prior to such Do Not Contact Request, your data has already been processed and shared in accordance with this Privacy Notice.

1. Credit Information Corporation (CIC)
   The Credit Information Systems Act (RA 9510) mandates us to submit your credit data to the CIC via MIDAS (Microfinance Information Data Sharing, Inc.) and share the same with other accessing entities and special accessing entities authorized by the CIC.
2. Judicial and Investigative Authorities
   We may be mandated to disclose certain Client Information upon service of legal court orders (such as when we file for small claims) or express legal request from police, public prosecutors, courts, or dispute resolution providers allowed by law.
   In these cases, we will notify you of the disclosure to the requesting government authority, subject to limitations imposed by law.

1. Other Regulatory Authorities
   Regulatory authorities when such other persons or entities we may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from us and when the circumstance so warrant.
2. Financial Institutions
   To fulfill payments and services, we may have to share your information with remittance companies (i.e. Palawan, M Lhuiller), insurer, or any other person who will be involved in the transaction or service.
   We disclose your Client Information with insurers, insurance brokers for protection against all kinds of risks.
3. Value Added Services.
   We may disclose your Client Data to our partners who collaborate with us to provide services to you. In the course of the MFI’s business, we may also disclose your Client Data to the following authorized personnel, including, but not limited to, a broker, contractor or third party service provider who provides insurance, support to our systems and storage of information, reference or other background checks, leads and referrals, consulting service, or other services to the MFI.
   
   We may also share from time to time, the data provided by you to us, with, and including affiliates of: (i) Aboitiz & Company, Inc. (ACO); (ii) Aboitiz Equity Ventures (AEV); and (iii) Ramon Aboitiz Foundation Inc; for the purposes as set out in this Data Privacy Notice, provided by you to us from time to time or for compliance to any law, regulations, government requirement, treaty, agreement, policy or as required by or for the purpose of any court legal process, examination, inquiry, audit, or investigation of any authority. This applies notwithstanding any non-disclosure agreement.

Under the Data Privacy Act of 2012, you have the following rights:

• Right to be informed – you may demand the details as to how your Personal Information is being processed or has
  been processed by RAFI MFI
• Right to access – upon written request, you may demand reasonable access to your Personal Information, which may
  include the contents of your processed personal information, the manner of processing, sources where they were
  obtained, recipients and reason of disclosure.
• Right to dispute – you may dispute inaccuracy or error in your Personal Information in our systems through our
  Customer Experience representatives.
• Right to correct – you may require RAFI MFI to correct any Personal Data relating to you which is inaccurate.
• Right to object – you may suspend, withdraw, and remove your Personal Information from certain further processing,
  upon demand, which includes your right to opt-out to any notifications and marketing activities.
• Right to data erasure – based on reasonable grounds and subject to applicable laws and regulations, you have the
  right to suspend, withdraw or order blocking, removal or destruction of your personal data from RAFI MFI’s filing
  system, without prejudice to RAFI MFI’s continuous processing for operational, legal, and regulatory purposes.
• Right to data portability – you have the right to obtain from RAFI MFI your Personal Information in an electronic format that is commonly used and allows for further use.
• Right to be indemnified for damages – you have the right to be indemnified for any damages sustained due to
  such violation of your right to privacy through inaccurate, false, unlawfully obtained or unauthorized use of your
  information.
• Right to file a complaint – you may file your complaint or any concerns with our Data Protection Officer and/or with
  the National Privacy Commission through privacy.gov.ph.