This Privacy Policy applies to all personal data processed by toto21 in connection with your use of the toto21 platform, accessible at toto21.bio, including the casino games lobby, sportsbook, live dealer tables, account management features, payment services, and customer support channels.
By registering for a toto21 account and using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein. If you do not agree to the terms of this Privacy Policy, you must not register for or use the toto21 Platform.
This Policy should be read together with toto21's Terms and Conditions, which govern the overall legal relationship between you and toto21.
For the purposes of the Data Privacy Act of 2012 and this Privacy Policy, toto21 is the personal information controller in respect of the personal data collected from players and visitors to the toto21.bio platform.
toto21 determines the purposes for which personal data is processed and the means by which such processing is carried out, in compliance with applicable Philippine data protection law. Where third-party service providers process personal data on toto21's behalf, they do so as personal information processors acting under documented instructions and contractual obligations consistent with this Policy.
For all data privacy related enquiries, requests, and complaints, please refer to Section 15 (Contact & DPO) of this Policy.
toto21 collects personal data across several categories depending on how you interact with the Platform. The following table summarises the categories of personal data we collect and the primary purpose for which each is collected:
| Data Category | Examples | Primary Purpose |
|---|---|---|
| Identity Data | Full legal name, date of birth, nationality, gender | Account registration, KYC verification, age compliance |
| Contact Data | Philippine mobile number (+63), email address, residential address | Account creation, OTP delivery, customer support, regulatory correspondence |
| Identity Document Data | Government-issued ID type and number, document images or scans | KYC verification, age verification, withdrawal approval |
| Financial Data | GCash account reference, Maya account reference, bank account details (BPI, BDO, Metrobank), deposit and withdrawal transaction records | Payment processing, withdrawal verification, anti-money laundering (AML) compliance |
| Gameplay Data | Game history, bet amounts, win/loss records, session durations, bonus usage | Game provision, responsible gaming monitoring, dispute resolution, platform improvement |
| Technical Data | IP address, device type, browser type and version, operating system, screen resolution | Fraud prevention, security monitoring, platform optimisation |
| Usage Data | Pages visited on toto21.bio, features accessed, time and duration of visits, navigation paths | Platform analytics, user experience improvement, marketing (with consent) |
| Communications Data | Live chat transcripts, email correspondence, support ticket content | Customer support, quality assurance, dispute resolution |
| Marketing Preferences | Consent status for promotional emails, SMS marketing opt-in/out records | Marketing communications management, regulatory compliance |
toto21 collects personal data through the following channels and mechanisms:
- When you create a toto21 account and complete the registration form;
- When you submit identity documents or proof of address during the KYC verification process;
- When you make deposits or request withdrawals using GCash, Maya, or bank transfer;
- When you contact the toto21 support team via live chat, email, or other channels;
- When you complete surveys, participate in promotions, or enter toto21 tournaments;
- When you update your account information or communication preferences in Account Settings.
When you access the toto21 Platform, certain technical and usage data is collected automatically by our systems. This includes your IP address, device and browser information, session timing data, and navigation behaviour within the Platform. This data is used for security monitoring, fraud detection, and platform performance optimisation.
toto21 may receive personal data from third-party sources in specific circumstances, including from payment processors (GCash, Maya, InstaPay, PesoNet) for transaction verification; from KYC and identity verification service providers; from fraud prevention and anti-money laundering screening services; and from public registries or databases where legally required for compliance purposes.
toto21 processes your personal data on the following legal bases as provided under the Data Privacy Act of 2012 and its implementing rules and regulations:
- Consent: Where you have given explicit consent for a specific processing purpose, such as receiving promotional communications or marketing messages. You may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
- Contractual Necessity: Where processing is necessary for the performance of the contract between you and toto21 — including account creation, gameplay provision, payment processing, and customer support.
- Legal Obligation: Where processing is required to comply with a legal obligation applicable to toto21 under Philippine law, including KYC and AML obligations under PAGCOR regulatory frameworks and the Anti-Money Laundering Act (AMLA) as amended.
- Legitimate Interests: Where processing is necessary for toto21's legitimate interests, including fraud prevention, platform security, responsible gaming monitoring, and internal analytics — provided that such interests are not overridden by your rights and interests.
toto21 uses the personal data we collect for the following specific purposes:
- Account Management: Creating and maintaining your toto21 account, authenticating your identity at login, processing account updates, and managing your preferences;
- KYC and Age Verification: Verifying your identity and confirming that you are at least 21 years of age as required by Philippine gaming regulations before processing your first withdrawal;
- Payment Processing: Processing deposits via GCash, Maya, BPI, BDO, Metrobank, and other accepted channels; processing withdrawal requests to your verified payment method; and maintaining transaction records;
- Game Provision: Delivering the games, live dealer tables, sportsbook, and other Platform features you use; recording gameplay history for dispute resolution; and maintaining game integrity;
- Responsible Gaming: Monitoring gameplay patterns for indicators of problem gambling; administering deposit limits, loss limits, and self-exclusion tools; and communicating responsible gaming information where appropriate;
- Fraud Prevention and Security: Detecting, investigating, and preventing fraudulent activity, money laundering, bonus abuse, and other prohibited conduct; managing account security and login monitoring;
- Regulatory Compliance: Meeting toto21's obligations under PAGCOR guidelines, the Anti-Money Laundering Act, the Data Privacy Act of 2012, and other applicable Philippine law;
- Customer Support: Responding to your enquiries, resolving complaints, and maintaining records of support interactions for quality assurance;
- Marketing Communications (with consent): Sending promotional offers, bonus notifications, and platform news to players who have opted in to receive such communications;
- Platform Improvement: Analysing usage patterns and player feedback to improve the Platform's features, performance, and user experience.
toto21 may share your personal data with third-party service providers who assist us in operating the Platform. These include payment processors (GCash/Maya/InstaPay/PesoNet providers), identity verification and KYC service providers, game software providers, cloud hosting and infrastructure providers, customer support tooling providers, and fraud prevention and AML screening services. All such third parties are required to process personal data only in accordance with toto21's instructions and are bound by contractual data processing agreements.
toto21 may disclose personal data to Philippine government authorities, regulatory bodies (including PAGCOR and the Anti-Money Laundering Council), law enforcement agencies, or courts where such disclosure is required by Applicable Law, a lawful court order, or is necessary for the investigation or prosecution of criminal activity.
toto21 does not sell, rent, or otherwise transfer your personal data to third-party marketing organisations, data brokers, or unrelated commercial entities. Personal data is not used for any purpose incompatible with the purposes stated in this Privacy Policy without your prior consent.
The toto21 Platform uses cookies and similar tracking technologies to operate core Platform functions and to improve your experience. The following categories of cookies may be used:
- Strictly Necessary Cookies: Required for the Platform to function correctly. These include session management cookies, security tokens, and authentication cookies. These cannot be disabled without affecting Platform functionality.
- Functional Cookies: Used to remember your preferences, such as language settings and login status. These improve convenience but are not strictly required.
- Analytics Cookies: Used to collect aggregated data about how players navigate and use the toto21 Platform, enabling us to identify areas for improvement. These are deployed with your consent where required.
- Security Cookies: Used to detect and prevent fraudulent activity, bot traffic, and other security threats. These cookies support toto21's fraud detection infrastructure.
You may control non-essential cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality or your user experience. For further details on the specific cookies used by toto21, please contact our support team.
toto21 retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by Applicable Law. The following general retention guidelines apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and Identity Data | Duration of account + 5 years after closure | PAGCOR regulatory requirements; AML obligations |
| KYC Documents | 5 years from date of verification | Anti-Money Laundering Act (RA 9160 as amended); PAGCOR guidelines |
| Financial Transaction Records | 5 years from transaction date | AML reporting obligations; tax compliance |
| Gameplay Records | 3 years from account closure | Dispute resolution; responsible gaming monitoring |
| Support Communications | 3 years from last interaction | Quality assurance; legal dispute resolution |
| Marketing Preference Records | Until consent is withdrawn + 1 year | Proof of consent under Data Privacy Act |
At the end of the applicable retention period, personal data will be securely deleted or irreversibly anonymised unless a longer retention period is required by a specific legal obligation or ongoing legal proceeding.
toto21 implements a comprehensive range of technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. Key security measures include:
- 256-bit TLS/SSL encryption for all data transmitted between your device and toto21.bio;
- Encryption of sensitive personal data at rest using industry-standard encryption protocols;
- Role-based access controls limiting access to personal data to authorised personnel on a need-to-know basis;
- Two-factor authentication (2FA) for staff accessing systems that process personal data;
- Regular security audits, vulnerability assessments, and penetration testing of Platform infrastructure;
- 24/7 security monitoring and automated intrusion detection systems;
- Secure data centres with physical access controls and environmental protections;
- Mandatory data privacy and security training for all toto21 personnel with access to personal data.
Under the Data Privacy Act of 2012, you have the following rights in relation to the personal data that toto21 holds about you. To exercise any of these rights, please contact us through the channels described in Section 15.
Requests to exercise data subject rights should be submitted in writing to the toto21 Data Protection Officer via the contact details in Section 15. toto21 will verify your identity before processing any request and will respond within the timeframes prescribed by the Data Privacy Act.
The toto21 Platform is strictly restricted to individuals aged 21 years and above in accordance with Philippine gaming regulations. toto21 does not knowingly collect personal data from any person under the age of 21. The Platform is not designed for or directed at minors.
toto21 enforces age verification through the KYC process prior to processing any withdrawal. If toto21 becomes aware that personal data has been collected from a person under the age of 21, the relevant account will be immediately closed, any funds deposited will be returned to the original payment source, any winnings will be voided, and the personal data will be securely deleted in accordance with applicable law.
toto21 primarily processes personal data within the Philippines. However, some of toto21's third-party service providers — including game software providers and cloud infrastructure providers — may be located in jurisdictions outside the Philippines. Where personal data is transferred outside the Philippines, toto21 ensures that appropriate safeguards are in place to protect the data to a standard equivalent to that required under the Data Privacy Act of 2012.
Such safeguards may include contractual clauses approved by the National Privacy Commission, the existence of an adequate data protection framework in the destination country, or other mechanisms recognised under Philippine data protection law. Players may request information about the specific safeguards applicable to a particular cross-border transfer by contacting the Data Protection Officer.
toto21 reserves the right to update or amend this Privacy Policy at any time to reflect changes in applicable law, our data practices, or the Platform's features. The date of the most recent revision is displayed at the top of this Policy.
Where changes are material — meaning they significantly affect how your personal data is processed or your rights as a data subject — toto21 will notify you via the email address registered to your account or by displaying a prominent notice on the Platform prior to the changes taking effect. For minor updates that do not affect your rights, the revised Policy will simply be published on this page with an updated effective date.
Your continued use of the toto21 Platform after an updated Privacy Policy has taken effect constitutes your acceptance of the updated terms. If you do not agree to the changes, you must cease using the Platform and may request account closure in accordance with the Terms and Conditions.
For all privacy-related enquiries, data subject rights requests, or complaints regarding toto21's handling of your personal data, please contact us through the following channels:
- Live Chat: Available 24/7 inside your toto21 account — fastest response for general privacy enquiries, typically under 2 minutes
- Email (Data Privacy Requests): [email protected] — please include "Data Privacy Request" in the subject line and provide your registered account username
- Website: toto21.bio
toto21 has designated a Data Protection Officer (DPO) responsible for overseeing compliance with the Data Privacy Act of 2012 and this Privacy Policy. The DPO can be reached via the email address above with "For the Attention of the DPO" in the subject line.
If you are not satisfied with toto21's response to a privacy complaint, you have the right to escalate the matter to the National Privacy Commission of the Philippines (NPC) at privacy.gov.ph.