Privacy policy

I. Purpose

The purpose of this Privacy and Data Protection Policy (“Policy”) is to provide guidance on the guidelines applicable to the privacy and protection of the personal data of customers, employees, third parties, service providers, suppliers and partners to whom [Credipay] ("Credipay") has access as a result of its activities, establishing the rules on the collection, use, storage, sharing and elimination of personal data, in accordance with the laws, regulations and best market practices.

This document outlines Credipay's commitment to data security and compliance with the Law No. 13709/2018, the General Personal Data Protection Law (“LGPD”), detailing our protective measures for personal information. It highlights our data collection practices, encryption standards, authentication protocols, and adherence to industry-leading security frameworks.

II. Scope

All members of Credipay, including outsourced workers, interns and young apprentices (“employees”) of the companies from Credix group, hereinafter jointly referred to as “Company”, as well as third parties, service providers and/or suppliers who have access to personal data of these companies.

III. Guidelines

1. Initial Provisions

1.1. This Policy aims to demonstrate the Company’s commitment to:
1.1.1. Ensure the privacy and protection of personal data collected from customers, employees, third parties, service providers, suppliers and partners, based on the performance of their activities.
1.1.2. Adopt guidelines that ensure broad compliance with laws, regulations and best practices regarding personal data protection.
1.1.3. Promote transparency with data subjects and other stakeholders about how the company processes personal data.
1.1.4. Adopt effective and preventive measures to protect personal data in relation to the risk of security incidents involving such data.

2. Information subject to the Policy

2.1. The following are subject to this Policy:

2.1.1. All personal data provided or collected in the context of the provision of services by the Company to its customers for acceptance of e-payments, including the capture, transmission, processing of information and settlement of transactions, as well as the provision of other services and related products.

2.1.2. All personal data of employees, third parties, service providers, suppliers and partners provided or collected in the context of contractual, legal or regulatory obligation or any other personal data.

3. Personal data collected

3.1. The personal data collected may vary according to the relationship maintained with the Company and are classified into the following groups:

3.1.1. Personal data provided by the subject: Data entered or forwarded by the data subject or his/her legal representative, arising from the contact, registration or contract with the Company, which may include, but not limited to, the following data: full name, CPF [Individual Taxpayer Registry Number],  information about the company he/she is a partner, owner, legal representative, or agent, full address, bank information, email address and phone number.

3.1.2. Information collected from the use of the services: Data related to the use of electronic payment methods, captured by the Company and transmitted and/or shared with third parties in the context and limit necessary for the processing and settlement of electronic payment transactions or for the transmission of non-financial information, object of service provided by the Company.

3.1.3. Personal data collected from the use of websites and applications: Data related to access and browsing on the Company’s website, pages and applications, containing information on device identification (Date, Time and IP). Geolocation of the data subject may also be collected to prevent fraud and for security and credit protection.

3.1.4. Personal Data collected on social media and networks: Data collected from interactions made by the holders of personal data through the Company’s social media and/or networks.

3.1.5. Personal financial data: Data concerning the financial or credit status of the subject, such as income, equity, delinquency, credit rating, and data from the Central Bank’s Credit Information System, in accordance with applicable legislation in force.

3.1.6. Personal data of children under 18: The Company will only collect and process the personal data of minors under the age of 18 under the terms of article 14 of LGPD and pursuant to applicable laws.

4. Method and purpose of collection

4.1. The personal data will be collected through ethical and legal means and stored in a secure and controlled environment, for the period required by applicable law or regulation. The Company agrees to take all reasonable measures to maintain absolute and strict confidentiality of all personal data to which it has access or that it may be aware of or gain knowledge regarding transactions, holders, data on cards and payment methods, from its customers, as well as individuals directly related to the customers, to which it gains access due to the provision of services by Company, employment, contractual or partnership relationship, being prohibited to assign and/or allow access by third parties to such information, except in the cases described in this Policy and determined by law.

4.2. The Company uses all information collected by filling out the registration, added by the user on its website or app, collected directly from customers or automatically, for the following purposes: (i) provision of services; (ii) expand offers for marketing and dissemination of products and services of interest to customers, employees and partners; (iii) customize and improve products and services offered; and (iv) prevent fraud and financial losses, among other cases that may deviate from conventional practices.

4.3. In some cases, the Company may also process personal data when necessary for compliance with legal or regulatory obligations or regular exercise of rights in judicial, administrative or arbitral proceedings.

4.4. The Company may also process personal data on the basis of its legitimate interest, always within the limits of the expectations of the data subject, and never to the detriment of the interests, rights and fundamental freedoms of the data subject.
4.5. The Company may process sensitive personal data for fraud prevention or research purposes, in which case anonymization will be guaranteed whenever possible. In addition, you may process this data with the consent of the subject.

4.6. The information collected may also be used for advertising purposes, such as for sending communications and news that are of interest to current and potential customers, and to third parties. In such cases, the goal will be to better serve the target audience by offering products that fit their needs and profile.

4.7. The information collected may also be used for profile analysis, identification, management and handling of potential risks then offering and contracting products and/or services and other risk management activities, also aiming at the safety of customers and users.
4.7.1 The data may also be used for the analysis of activities related to credit protection, such as risk assessment and management and assessment of financial and equity status, collection, credit assignment, activities related to the information and consultation to credit protection entities and credit rating score.

4.8. Also for the fulfillment of legal, regulatory and self-regulatory obligations, such as: auditing, compliance, prevention of money laundering and terrorist financing, reporting to the Internal Revenue Service, fraud prevention measures, providing information to the Central Bank of Brazil and other competent bodies in Brazil and abroad, reporting suspicious transactions to COAF (Financial Activities Control Council), among other activities.

5. Relationship with third parties

5.1. The access of third parties to the information collected by the Company is solely for the fulfillment of the purposes set out in this Policy and within the necessary limits for the performance of activities related to the course of its business, and may be carried out, including, but not limited to:
5.1.1. Payment arrangement providers and members of such arrangements;
5.1.2. Electronic funds transfer networks;
5.1.3. Clearing and settlement banks;
5.1.4. Service providers that perform commercial and/or information processing operations for the Company and/or activities related to the Company’s activities and that have been subcontracted by the Company;
5.1.5. Partners of the Marketing Superintendence;
5.1.6. Independent auditors;
5.1.7. Collection agencies, credit protection services and similar bodies;
5.1.8. Competent regulatory bodies.

5.2. The use of the information collected by the Company, in any of the cases set out in item 5.1 above, is made exclusively to meet the purposes set forth in this Policy, in the performance of the Company’s activities or in offering to the client specific content from the use of the information in a secure and comprehensive manner about its area of operation,  in an encrypted manner whenever possible and anonymously when appropriate.

5.3. The Company may share aggregate information with its partners, provided that such information is not personally identifiable. For example, it may share information to demonstrate trends about the general use of its services and/or market trends and indicators.

5.4. Whenever it becomes necessary to use the information collected by the Company for purposes other than those defined in this Policy or those expressly authorized by the data subject, the Company will inform the data subject directly about this new purpose and, when necessary, collect a new authorization.

5.5. Additionally, it is possible that some of the transfers indicated above may occur outside Brazilian territory. Destinations can be: United States and the European Union, on which occasion the Company undertakes to do so only for countries that provide a degree of protection for your personal data considered adequate under the applicable legislation; or through the adoption of guarantees and safeguards such as specific clauses, standard clauses, global corporate standards, among others; as well as through the prior collection of your consent or compliance with the other hypotheses authorized by law.

5.6. The Company requires all third parties to maintain the confidentiality of the information shared with them or to which they gain access based on the exercise of their activity, as well as to use such information exclusively for the purposes expressly permitted. However, the Company shall not be liable for the misuse of such information, either by third parties or their employees, due to non-compliance with this Policy and contractual obligations assumed through its own instruments.

5.7. The Company also requires all third parties contracted by it to comply with all obligations contained in this Policy, and the third parties will be subject to the same obligations as the Company, for the data processing activities performed, before the data subjects.

6. Information security

6.1. In order to ensure the security of the information collected and/or provided, the Company has physical, logical, technical and administrative security processes that are compatible with the sensitivity of the information collected, the efficiency of which is periodically assessed by means of an independent audit process.
6.1.1 The Company leverages cutting-edge Cloud infrastructure to ensure the secure management and delivery of our services while prioritizing the privacy of our customers. We exclusively use SOC 2 compliant cloud services, which adhere to the highest industry security standards

6.2. The Company implements new procedures and continuous technological improvements to protect all personal data collected and/or transmitted.

6.3. The Company uses the latest methods and equipment available on the market to encrypt and anonymize personal data when necessary. Encryption allows us to protect data before it is transmitted over the internet. Encryption techniques make this information unreadable and prevent others from viewing it before reaching our technology environment.
6.3.1 At Credipay, we employ 256-bit Advanced Encryption Standard (AES-256) to encrypt all data, including databases and file storage. This encryption serves as a vital privacy safeguard, restricting system and engineer access to sensitive information and reinforcing our dedication to customer privacy.
6.3.2 Our approach to protecting data during transfer involves comprehensive encryption protocols. This includes the encryption of all external and internal data transfers, such as API calls and communications between Credipay services, utilizing Transport Layer Security (TLS). The use of TLS, integral to the HTTPS protocol for our API endpoints, not only secures data in transit but also ensures its integrity.

6.4. The Company only authorizes the access of specific persons to the place where the personal information is stored, provided that this access is essential, necessary and essential for the accomplishment of the intended activity.

6.5. To further bolster security, Credipay implements the Open ID Connect (OIDC) protocol for authenticating all stakeholders. As an extension of OAuth2, OIDC verifies user identities to permit access exclusively to authorized Credipay users. Moreover, it manages detailed authorization, granting users access to specific resources while restricting access to others, thereby maintaining strict control over data accessibility.

6.6. The Company guarantees that employees, third parties or partners who process personal data must undertake to maintain the absolute confidentiality of the information accessed, as well as to adopt the best practices for handling this information, as established in the internal policies and regulations.

6.7. In addition to technical efforts, the Company also adopts institutional measures aimed at the protection of personal data, so that it maintains a privacy governance program applied to its activities and structure.

6.8. Access to the information collected is restricted to employees and authorized persons. Anyone misusing this information will be subject to the appropriate administrative, disciplinary and legal sanctions.

6.9. Notwithstanding the security measures adopted, the Company shall not be liable for damages arising from security breaches and/or incidents due to the occurrence of any fact or situation for which it is not responsible.

6.10. When processing the information collected, the Company uses structured systems to meet the security and transparency requirements, good practice and governance standards, and the general principles established in LGPD.

7. Rights of data subjects

7.1. Em conformidade com as regulamentações aplicáveis, no que diz respeito ao processamento de dados pessoais, a Empresa respeita e garante ao titular dos dados a possibilidade de apresentar solicitações com base nos seguintes direitos:

  • Confirmação da existência de processamento;
  • Acesso aos dados;
  • Correção de informações incompletas, imprecisas ou desatualizadas;
  • Anonimização, bloqueio ou eliminação de dados desnecessários, excessivos ou que não se conformam à lei;
  • Portabilidade dos dados para outro provedor de serviços ou produto, mediante solicitação expressa do usuário;
  • Eliminação de dados processados com o consentimento do usuário;
  • Obtenção de informações sobre as entidades públicas ou privadas com as quais a Empresa compartilhou seus dados;
  • Informação sobre a possibilidade do usuário não fornecer consentimento, bem como ser informado sobre as consequências caso seja negado;
  • Retirada de consentimento;
  • Revisão de decisões tomadas unicamente com base no processamento automatizado de dados pessoais.

7.1. In compliance with the applicable regulations, with regards to the processing of personal data, the Company respects and guarantees to the data subject the possibility of submitting requests based on the following rights:
Confirmation of the existence of processing;
Access to data;
Correction of incomplete, inaccurate or outdated information;
Anonymization, blocking or deletion of data that is unnecessary, excessive or legally noncompliant;
Portability of the data to another service provider or product, upon express request by the User;
Deletion of data processed with the User’s consent;
Obtaining information about the public or private entities with which the Company shared his/her data;
Information on the possibility of the User not providing consent, as well as being informed about the consequences in case it is denied;
Withdrawal of consent;
Review of decisions taken solely on the basis of automated processing of personal data.

7.2. Part of the above rights may be exercised directly by the data subject or his/her legal representative, as of the management of registration information, available in the logged-in area of the site, while another part will depend on sending a request to our Privacy/Data Protection Officer ("DPO"), further evaluation and adoption of the necessary measures. The channel for receiving requests of this nature is the email: legal@credix.finance.

7.3. Any request for deletion of information essential for the management of registration with the Company will imply the termination of its contractual relationship, with the consequent cancellation of the services then provided, and the data may be kept to comply with legal or regulatory determination.

8. Cooperation with regulatory authorities

8.1. In the event that it becomes necessary to disclose personal data, whether due to compliance with the law, a court order or a competent body supervising the activities carried out by the Company and/or third parties, such information shall only be disclosed in the strict terms and within the limits required for its disclosure, and the holders of the information disclosed shall, as far as possible, be notified of such disclosure, so that they may take appropriate protective or remedial measures.

9. Amendments

9.1. This Policy may be amended at any time, depending on the purpose or need for adequacy and compliance of the provision of law, regulation or whenever the Company deems necessary. Changes will be disclosed through Credipay's website. The continued use of the services or the provision of services to the Company, as the case may be, after disclosure of the changes, will be considered acceptance of the client and third parties regarding the new terms and conditions.

IV. Management of Consequences

Employees, vendors or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the DPO.Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures to the agents that fail to comply with it, according to the respective severity of the non-compliance and as per internal regulations, and is applicable to all persons described in the item “Scope” of this Policy, including the leadership and members of the Executive Board.

V. Responsibilities

Officers, Employees and Service Providers: Observe and ensure compliance with this Policy and, when necessary, to contact the DPO for guidance on situations involving conflict with this Policy or upon the occurrence of situations described therein. Act ethically and responsibly when becoming aware of any security incident involving personal data, informing, in a timely manner, the appropriate areas. Understand the role of information security and privacy in their daily activities and participate in awareness and education programs.
Privacy and Data Protection: Advising the Executive Board on privacy and data protection issues, with a view to compliance with applicable laws and regulations, in particular LGPD.
Executive Board: Deliberate, as recommended by the DPO, on the resources for the implementation, maintenance and improvement of Privacy Policy, including conducting periodic critical analysis of the system, appreciating the results, metrics and indicators.

VII. Concepts and Acronyms

Clients: Individual who has registered in the Company’s system, to whom the personal data that are the object of work refer;
Personal data: Any information related to the identified or identifiable individual, such as: first name, last name, date of birth, personal documents (CPF [Individual Taxpayer Registry], RG [ID], CNH [Drivers License], Employment Record Card, passport, voter registration card, among others), home or business address, phone, email, cookies and IP address;
Sensitive personal data: Any personal data on racial or ethnic origin, religious belief, political opinion, membership to a trade union or religious, philosophical or political organization, data concerning health or sexual life, genetic or biometric data, when linked to an individual;
Personal Data Processing Officer (“DPO”): Person appointed by the Company to serve as a point of contact between the personal data subjects and the National Data Protection Authority (“ANPD”), as well as in charge of the initiatives of the Company’s Data Privacy Governance Program.
Information: Data, processed or not, that can be used for production and transmission of knowledge, contained in any medium or format;
Protection of Personal Data: Guarantee to data subjects the rights of access, correction, control and confidentiality of information.
Stakeholders: All relevant target audiences with interests pertinent to the Company, as well as individuals or entities that assume some type of risk, direct or indirect, with respect to the company. Among others, the following are highlighted: shareholders, investors, employees, society, clients, vendors, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic means of payment, and non-governmental organizations.
Third parties: Individual or legal entity, public or private, who provides services to the Company, on its premises or remotely, and who, in the exercise of their activities, may gain access to information related to the business of the Company or its Clients.
Data subject: Individual to whom the personal data object of processing refer.
Transport Layer Security (TLS): A cryptographic protocol that provides end-to-end security of data sent between applications over the Internet

VIII. General Provisions

The Company’s Board of Officers is responsible for changing this Policy whenever necessary.