Privacy Policy

Notice to Users Regarding the General Data Protection Law

Caruana S.A. SCFI emphasizes its commitment to transparency, privacy, and the security of its customers’, employees’, and users’ data on its applications and platforms. In this context, we anticipate some important concepts and information relevant to the environment of the General Data Protection Law (LGPD), which will be further detailed with the update of our “terms of use and privacy policy,” soon to be published.

For any questions, our service channels are available.

Users’ Rights The owner of personal data has the right, as provided by the General Data Protection Law, to obtain information regarding the data under processing, at any time, and upon formal request. The owner can also request correction, updating, or portability of the data.

Important Concepts

  • “Data Subject” – Any individual who will use the platform and application.
  • “Personal Data” – Any information processed by Caruana S.A. SCFI related to a natural person that identifies them or that, when combined with other processed information, identifies an individual. Additionally, any information through which it is possible to identify a person or establish contact with them.
  • “Processing” – The processing of personal data includes the collection, receipt, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, classification, communication, transfer, dissemination, or extraction of individuals’ data.
  • “Purpose” – The objective of processing.
  • “Necessity” – The reason that justifies the processing of personal data to achieve the purpose. The processing of personal data must be limited to legal authorizations and/or the personal consent of the data subject to achieve the purpose, according to the criteria of pertinence, proportionality, and reasonableness.
  • “Consent” – For cases not provided by law, this is the clear and objective authorization that the data subject grants to Caruana S.A. SCFI for a previously stipulated purpose or following legal obligations. After consent is granted, the data subject may revoke it at any time without retroactive effect, meaning it does not affect procedures previously carried out.

Subjects Protected by the LGPD Adaptation Policy The ongoing adaptation, whose new privacy policy will be published in due course, applies to all users of applications and platforms whose personal data are processed by Caruana S.A. SCFI and its conglomerate.

Applicable Legislation Law 13.709/18 (LGPD), in conjunction with other legal and administrative norms, including Resolution No. 4.658/18, supports the protection of personal data, ensuring that the respective processing focuses on transparency, security, responsible governance, and ethics—values upheld by Caruana S.A. SCFI.

Collected Personal Data When the user utilizes the platform(s) or application(s) of Caruana S.A. SCFI for financial transactions, personal data (registration, financial, and transactional) are collected and processed in accordance with the respective purposes of use and legal obligations, compatible with the activities carried out by the company. These include:

  • Registration Data: Name, date of birth, gender, RG, CPF, and/or other identification documents such as a driver’s license, photo, address (residential and commercial), phone numbers (residential, commercial, and mobile), email, profession, occupation, marital status, nationality, place of birth, among others.
  • Sensitive Personal Data: Biometric data, including facial and/or digital, race, color, gender, and potentially other personal data defined as sensitive according to applicable legislation.
  • Financial and Transactional Data: Information on banking, financial, and payment operations and transactions, products, and services contracted or intended to be contracted, and their use (including our financial, banking, credit, financing, exchange, investment, insurance, pension, capitalization, consortium, credit card, and payment services, currency operations, among others).
  • Third-party Data: Filial data, representatives, represented parties, guarantors, counterparts, attorneys, collaborators, partners, or beneficiaries of products and services.
  • Reports on the Financial or Credit Situation of the User and/or Third Parties: We may access data about your financial or credit situation, such as income, assets, negative records, positive registration data, including detailed positive registration data, or data from the Central Bank’s Credit Information System, in accordance with applicable legislation.

Information Collected from Users’ Technological Devices Caruana S.A. SCFI’s electronic systems may collect information about your technological devices, such as device information (e.g., Advertising ID and technical information like operating system, screen size), connection information (e.g., date, time, IP Address, network used), device identification, and device usage. Similarly, information that users consent to, such as geolocation, may be collected to enhance security by preventing fraud, protecting credit, and providing conveniences and benefits.

Caruana S.A. SCFI may also request authorization to process biometric and registration data through certain functionalities of our platforms and applications to ensure greater security in sending contractual information, statements, invoices, and payment receipts.

Information About the User from Third Parties Caruana S.A. SCFI may use information provided by third parties, such as public sources, credit agencies, data providers, and companies that sell registration or record services.

Browsing Habit Data Caruana S.A. SCFI uses cookies, which are small text files that may or may not be added to your browser. These files store and recognize data that ensure the correct functioning of the Sites and Applications and help identify user preferences to improve their online experiences. Cookies allow the collection of data related to browsing, depending on the device used, the permissions granted by users through their device settings, and the functionalities used in each application. Cookies may be used by Caruana S.A. SCFI’s sites and respective applications, whether proprietary or third-party. Cookies also assist in monitoring and detecting suspicious and/or unauthorized activities, preventing fraud, and protecting users’ information, as well as monitoring, analyzing, measuring, and researching user access and performance in applications and tools.

The user can disable or delete cookies and collection technologies in their browser settings and the operating system settings of each device, except for functional cookies, which, if disabled, will not allow the use of the Sites and Applications. Therefore, it is important to note that if certain cookies are disabled, the sites and applications, or some of their features and functionalities, may not work correctly.

Purpose of Processing Users’ Personal Data Caruana S.A. SCFI processes personal data using legal bases that may vary depending on the purpose of the collection and the type of data. The storage period for personal data may vary according to the applicable legal basis for each situation and purpose, as follows:

A) To provide payment management services through the application; B) To provide services tailored to the user’s needs and treat them more personally; C) To carry out marketing activities and keep users informed about Caruana S.A. SCFI’s products and services; D) To confirm and evaluate the user’s identity and the data provided; E) To prevent, detect, and investigate possibly prohibited or illegal activities, including fraudulent activities; F) To comply with legal or regulatory obligations to which we are subject; G) To improve services and the user experience while preserving their individuality and identification; H) For administrative and management purposes of our business needs;

Data Sharing The information collected may be shared by Caruana S.A. SCFI: (i) with external partners who provide services and perform functions under the direction and on behalf of Caruana S.A. SCFI; (ii) to protect Caruana S.A. SCFI’s interests in any conflict; (iii) by court order or request from a competent authority; (iv) with the Central Bank of Brazil, the Financial Activities Control Council (COAF), and other competent authorities for money laundering prevention and other illegal activities; (v) to comply with legal and regulatory obligations; (vi) we also clarify that the information may be shared with companies providing the necessary technological and operational infrastructure for Caruana S.A. SCFI’s activities, such as payment intermediaries and information storage service providers.

Information Security All personal information will be transmitted through a secure Internet page, which protects and encrypts Caruana S.A. SCFI users’ information. Personal data is stored on physical servers or by magnetic means, maintained with high-security standards. Caruana S.A. SCFI employs criteria, efforts, and state-of-the-art technology to ensure confidentiality and security for its users. Caruana S.A. SCFI stores its users’ data in an encrypted manner and employs best market practices for this purpose. Caruana S.A. SCFI also encourages its users to adopt self-protective procedures, such as avoiding access to malicious websites; keeping antivirus protection installed and up-to-date; refraining from providing personal data unauthorizedly, especially not sharing login and password with third parties.

What Are My Rights Regarding Personal Data? In compliance with applicable regulations regarding personal data processing, Caruana S.A. SCFI respects and guarantees users the ability to submit requests based on the following rights:

  1. Confirmation of the existence of processing;
  2. Access to data;
  3. Correction of incomplete, inaccurate, or outdated data;
  4. Anonymization, blocking, or deletion of unnecessary, excessive, or illegally processed data;
  5. Data portability to another service or product provider, upon express request by the User;
  6. Deletion of data processed with the User’s consent;
  7. Obtaining information about public or private entities with whom Caruana S.A. SCFI has shared their data;
  8. Information about the possibility of the User not providing consent and being informed of the consequences in case of refusal;
  9. Revocation of consent.

Some of the rights outlined above can be exercised directly by you through the management of your registration information, while others will require a request to be sent through our customer service channels for further evaluation and necessary actions.

The User is aware, by reading this document, that any request for the deletion of essential information for managing their registration with the Organization, where applicable, will result in the termination of their contractual relationship, leading to the cancellation of the services provided.

Caruana S.A. SCFI will make all reasonable efforts to fulfill requests made by the Data Subjects as quickly as possible. However, justifiable factors may delay or prevent prompt service, and in case of delay, Caruana S.A. SCFI will provide the User with the appropriate reasons.

Finally, the User should be aware that their request may be legally rejected, either for formal reasons (such as the inability to prove identity) or legal reasons (such as requests for data deletion where maintenance is a lawful exercise of the Organization’s rights). If such requests cannot be fulfilled, Caruana S.A. SCFI will provide the User with reasonable explanations.

  • Data Protection Officer

For more information about the Policy or how we handle your personal data, you can contact us via email for addressing complaints and communications from the data subjects, as well as providing clarifications and taking necessary actions. Send your inquiries to the email address privacidade@caruanafinanceira.com.br with the subject “Contact of the Responsible Authority or Data Subject” requesting information about the General Data Protection Law.

Data Protection Officer – DPO

The Data Protection Officer (DPO) has the role of acting as a communication channel between the institution, the data subjects, and the National Data Protection Authority (ANPD).

DPO

Aroldo Araujo Pinto

Address

Av. do Café, 277
4th Floor – Suite 402 – Tower A – Vila Guarani
CEP 04311-900

Phone: +55 (11) 5504-7815 or 3195-5915

Email: privacidade@caruanafinanceira.com.br

Legal Basis

GPDR, art. 5º, VIII

Responsibilities

Article 41, §2º, of the GPDR

I – Accept complaints and communications from data subjects, provide clarifications, and take necessary actions;

II – Receive communications from the national authority and take necessary actions;

III – Guide the entity’s employees and contractors on practices related to personal data protection; and

IV – Perform other duties determined by the controller or established in supplementary regulations.