Hello!

CUMBUCA SERVIÇOS DE TECNOLOGIA LTDA., registered in CNPJ/MF under No. 50.271.185/0001-47, headquartered in the city of São Paulo, state of São Paulo, Rua Fidêncio Ramos, No. 101, suite 124, Part 3, Vila Olímpia, ZIP code 04555-010, ("Cumbuca" or "We") presents its Privacy Policy ("Privacy Policy") to inform Users about how their Personal Data is processed.

WE ASK YOU TO READ THIS PRIVACY POLICY CAREFULLY, AS THE USE OF THE PLATFORM IS SUBJECT TO YOUR AGREEMENT AND ACCEPTANCE.

1. As the User contacts us, registers, accesses, or uses the Platform, some personal information about the User will be requested and collected. This Privacy Policy describes the types of Personal Data we may receive about the User, directly or through the User's interaction with Cumbuca, how we may use them and for what purposes, with whom we may share them, how we protect and keep them secure, and your rights regarding your Personal Data. Therefore, this Privacy Policy provides an overview of all the possible situations through which we may interact.

2. We are committed to safeguarding your information's confidentiality and your privacy, all in accordance with the General Data Protection Law (LGPD) and the rules of the Central Bank of Brazil on the subject. The Processing of Personal Data aims, above all, to provide better and more personalized service, taking into account the specific conditions of each User. The more the User interacts with us, the more information they provide, and the more capable we are to offer personalized services.

3. This Privacy Policy is an integral and inseparable part of the General Terms and Conditions of Use of the Platform ("Terms of Use"), available on our website and on our Platform. By registering on the Platform, the User acknowledges the provisions of this Privacy Policy, which will apply to the use of our platform and our services. Therefore, we ask that the User carefully read this document, as well as any updates to it, before deciding to access, register, use, or continue using the Platform. If you do not want your personal data to be processed as described in this Privacy Policy, the User must refrain from accessing, registering, and using the Platform.

4. The terms written in capital letters will have their meanings defined in accordance with the Terms of Use or applicable legislation. Below are some definitions used throughout this Privacy Policy:

AFFILIATES: Any person, organization, or entity controlling, controlled by, or under common control with one of the Parties.

CONSENT: a free, informed, and unequivocal expression by which an individual agrees to the Processing of their Personal Data for a specific purpose.

CONTROLLER: an individual or legal entity responsible for decisions regarding the Processing of Personal Data – in this case, the main Controller for the Processing of your Personal Data will be Cumbuca, with the details provided at the beginning of this policy.

INDEPENDENT CONTROLLERS: two or more individuals or legal entities with decision-making power over the Processing of Personal Data, with each Controller independently defining the purposes and methods of Processing, each being responsible for the Processing done within their scope of action.

COOKIES: browsing files that temporarily store what the User is visiting on a specific site or application.

ANONYMIZED DATA: any data related to a Holder that cannot be identified, considering the use of reasonable and available technical means at the time of its Processing.

USER DATA: Together, all the User's Personal Data.

SENSITIVE PERSONAL DATA: Personal Data about racial or ethnic origin, religious belief, political opinion, membership in a union or religious, philosophical, or political organization, data regarding health or sexual life, genetic or biometric data when linked to an individual.

PERSONAL DATA: data related to an identified or identifiable natural person.

PSEUDO-ANONYMIZED DATA: the processing through which data loses the possibility of association, directly or indirectly, to an individual, unless through the use of additional information kept separately by the controller in a controlled and secure environment.

DATA PROTECTION OFFICER OR DPO: the person designated by us to act as a communication channel between the controller, data holders, and the National Data Protection Authority (ANPD).

DATA PROTECTION LAW: The Law No. 13.709/2018 ("General Data Protection Law" or "LGPD") remains in force, along with its subsequent amendments, and any other laws and regulations regarding the processing, protection, and privacy of personal data, including User Data, that are applicable and, if applicable, all guidance, norms, rules, orders, regulations, and codes of practice and conduct issued by the National Data Protection Authority ("ANPD") or another relevant authority for the supervision or protection of Personal Data.

OPERATOR: an individual or legal entity that carries out the Processing of Personal Data on behalf of the Controller or, in the context of our services, the company that receives your Personal Data on our behalf.

TERMS OF USE: the General Terms and Conditions of Use of the Platform available on the site and on the Platform.

HOLDER: a natural person to whom the Personal Data that is the subject of Processing refers. The Holder may be the User.

PROCESSING: any operation or set of operations carried out with Personal Data or sets of Personal Data, whether by automated means or not, such as, but not limited to, collection, use, access, organization, consultation, production, alteration, reception, classification, use, reproduction, communication, transmission, distribution, processing, archiving, recording, structuring, storage, adaptation, retrieval, transfer, availability, combination, restriction, elimination, assessment, or control, modification, deletion, or extraction.

PERSONAL DATA BREACH: an information security breach that leads to the accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access to Personal Data transmitted, stored, or otherwise Processed by Cumbuca or an authorized subcontractor;

5. WHAT DATA WILL BE PROCESSED?

5.1. By using the Platform, Users must provide certain information for registration, use of the Platform, and services:

5.1.1. Information that Users provide directly to us:

a) Identification, registration, and enrollment data: this is the information that the User provides when registering or using Cumbuca's services. The following Personal Data will be collected: name, date of birth, email, phone number, CPF, image, login, password. If you use a social network to facilitate your registration, information about which social network you used will also be collected. You can check the privacy practices of these social networks by accessing their respective policies and terms of use.

b) User-Generated Content: we may process your information through information entered in our user support channel, request history, or through comments, criticisms, compliments, suggestions, feedback, or testimonials sent regarding the Platform or services acquired.

5.1.2. Information that Users provide indirectly:

a) Platform Usage Data: we collect data derived from the User's use of the Platform each time they interact with the Platform. Usage data includes IP, time, and date of access, geolocation, data about the access device (model, operating system, screen size, among others), User spending profiles and behaviors, expenses, volume, and number of transactions made on the Platform and User preferences in general. Such information will be stored securely, using tools that ensure data pseudo-anonymization and will not be shared with third parties, except after the anonymization process or if there is any legal basis that justifies sharing.

b) Transaction Data: we will process and store data on fund transfers between payment or financial institutions made using our services, including amounts, bank account or payment data, date, time, location, and other information related to the transaction. This data processing is necessary for the execution of the transaction and compliance with applicable Central Bank regulations.

c) Data Derived from Incident Management: If the User contacts the Platform via the form, email, or contact phone number, the messages received in the format used by the User will be collected, so that the data may be used and stored for managing current or future incidents.

d) Data Collected through "Cookies": Cookies and electronic device identifiers (such as SDKs, web beacons, among others) are collected when the User uses the Platform. The User can manage their privacy options directly in the privacy policy of such third-party companies. See the specific item about Cookies in this Privacy Policy.

5.1.3. Information provided by Third Parties: if the User accesses the Platform through services offered by third parties or links posted on third-party pages, these may send the User's browsing data to Cumbuca. This information may be associated with other information collected by Cumbuca or provided by Users and used in situations and for the purposes described in this Privacy Policy. In this case, only the information collected directly by Cumbuca about the User and the result of this combination are covered by this Privacy Policy. Information provided by external third parties can be controlled by the User according to the privacy policy of those external parties.

5.2. To prevent fraud and ensure the authenticity of the Personal Data reported by the User, additional information may be requested, as well as the sending of photos or copies of documents that allow confirmation of the data provided by the User. In this case, the User will be contacted directly. The User's registration may also be checked or completed by payment or financial institutions upon the User's request for data sharing, or by Cumbuca itself, through consultation of suitable public or private databases existing for such purpose.

6. PURPOSE OF COLLECTING PERSONAL DATA

6.1. Users' Personal Data are processed for the following purposes:

a) Providing services available on the Platform and adequate and effective support, including opening payment accounts in the User's name at partner institutions and executing a transaction, using the User's accounts upon their request;

b) Enabling access to the Platform;

c) Preventing fraud, money laundering, and terrorism financing;

d) Adapting appearance and content to the User's preferences, in order to provide quicker, more pleasant, and effective access;

e) Authenticating access;

f) Providing adequate security for the services offered and means of identification in cases of inappropriate or illegal uses;

g) Resolving instabilities in the Platform;

h) Keeping Users informed about services, changes to the Terms of Use or the Privacy Policy, updates, or improvements in the Platforms;

i) Gathering statistical information;

j) Complying with legal or regulatory obligations, or court orders or those from other competent authorities;

k) Providing and improving customer service to Users; 

l) Conducting usage analysis of the Platform to enhance its services and functionalities; 

m) Sharing registration data with Partners for the purpose of registration validation and strictly complying with service delivery;

n) Sharing your registration, financial, and personal data with business partners and companies from the same economic group, which may offer you products and services related or not to Cumbuca; and

o) Conducting user profiling analyses to offer services more suited to your preferences or needs.

6.2. Regarding the management of information on the Platform, as well as statistical analysis of data for the enhancement of the Platform, data storage for internal product development, and Platform management, Cumbuca will act as the Controller of Personal Data. 

7. SHARING OF PERSONAL DATA

7.1. Using Cumbuca's services necessarily involves sharing Users' personal data with other users, with payment and financial institutions, with public bodies, and with various other companies and institutions. 

7.1.1. The User is aware and agrees with the manner that CUMBUCA carries out the processing of their Data, as described in this Privacy Policy; and

7.1.2. Authorizes CUMBUCA to access, process, and share its Data, as provided for in Article 10 of Joint Resolution No. 1 of 4/5/2020 (Open Finance Regulation);

7.1.3. Authorizes that CUMBUCA has access as well as processes and shares their Data, as provided for in Article 1, paragraph 3, item V of Complementary Law No. 105/2001 (Banking Secrecy Law); and

7.1.4. Authorizes that CUMBUCA has access, processes and shares their Data, as provided for in Article 7, items I, II, V, IX, and X of Law No. 13.709/2018 (General Data Protection Law or simply “LGPD”).

7.2. Each User must be aware that, when a transaction is carried out through the platform, the payment and financial institutions involved will have access to the User's data related to this transaction so that it can be performed, meaning that Cumbuca needs to share data with these companies and, in certain regulatory situations, also with public institutions such as the Central Bank of Brazil and the Financial Activities Control Council.

7.3. Cumbuca carries out transactions through the payment institution CELCOIN INSTITUIÇÃO DE PAGAMENTOS S.A., which provides Cumbuca with a technological solution (“Bank as a Service”/”BaaS”) that includes procedures for opening and managing payment accounts, issuing electronic currency, and processing and settlement services. The data provided to open and maintain the account by the customer will be used by this institution solely for fulfilling the contractual relationship established with Cumbuca and the duties arising from current regulations, always observing the legislation regarding data protection and information security. The payment institution may also, at any time, request additional information for legal and regulatory purposes. For more information on this payment institution's personal data protection practices, consult its privacy policy at https://www.celcoin.com.br/.

7.4. The User may request a card for using the available balance in the payment account, which will be issued by a partner issuer of Cumbuca (“Issuer”). By requesting the card issuance, the User expressly authorizes Cumbuca to share its data with the Issuer, as well as acknowledges and agrees that Cumbuca will have access to all financial data resulting from purchases made with the card, being able to request additional information and documents in addition to those provided at the time of registration to enable the card issuance.

7.4.1. During the use of Cumbuca's services and platform, data related to registration, expenses, and User budgets will also be accessible to the Group Administrators of which each User is a part and, to a limited extent, also by the other members of the Group.

7.4.2. For using the Cumbuca Card, it may be requested that, at the time of purchase, Users participating in the Simple Group need to provide personal data of the Administrator User (full name and CPF number) to finalize the purchase with the Cumbuca Card. Thus, the Administrator User, at this act, authorizes the other Group Users to use such data, exempting CUMBUCA from any responsibility arising from this authorization.

7.5. Cumbuca may also share your personal data with third parties in the following situations:

a) Partners/Third Parties or Cumbuca Suppliers: provides for sharing Users' personal data to enable the offering and provision of services. Non-exhaustive examples: logistics services, database analysis, management and coordination of website development, cloud storage, and creation of marketing actions, services from Banking and banking service providers, technology service providers, infrastructure, core banking, data processing or transaction processing. These suppliers receive your information for the specific purpose of providing services to Cumbuca;

b) Judicial request: we may share your personal information in the event of a judicial request or upon determination of a competent authority, under the terms of the law;

c) New Business. There may be a transfer of Personal Data to Cumbuca Affiliates in the context of acquisition, sale, merger, corporate reorganization, or any other change of control of Cumbuca;

d) Regular exercise of rights through administrative or judicial means or extrajudicial means. Cumbuca may share Personal Data with third parties such as law firms, consultancies, collection agencies, accounting firms, and similar companies, for the exercise of its own rights or to ensure compliance with and enforcement of this Privacy Policy and the Terms of Use. It may also share Personal Data for the purposes of administrative, judicial, extrajudicial, or arbitration defense of our interests. This may include extrajudicial negotiations between the parties, judicial or arbitration processes, administrative procedures, among others; and

e) With User consent: we may share your personal information with third parties whenever specifically authorized by you.

8.Specific conditions of Open Finance solutions

8.1. CUMBUCA Instituição de Pagamento Ltda., a partner of CUMBUCA, is a regulated institution participating in Open Finance (Open Financial System), that is, a standardized system for sharing data and services through the opening and integration of systems by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank, under the terms of Joint Resolution 1 and subsequent regulations.

8.2. Access to Open Finance is voluntary, and users' information can be accessed through their express consent.

8.3. Thus, by using our Open Finance solution, You give your express and unequivocal consent for CUMBUCA to access your information available in the Open Finance environment.

8.4. Furthermore, You give your express consent for CUMBUCA to share the information accessed in the Open Finance environment.

8.5.You are aware that access to Open Finance and sharing is entirely optional. If you wish to revoke your consents, you can do so at any time through our channels.

8.6.Scrapping: is a process of extracting data from a specific website, typically performed automatically. Scrapping by CUMBUCA occurs by sharing the end user's credentials with CUMBUCA so that CUMBUCA can access your information available in third-party banks.

8.7. Thus, by using our Scrapping solution, You give your express and unequivocal consent for CUMBUCA to use your credentials and access your information available in third-party banks under the terms of this document.

8.8.You are aware that sharing your credentials with CUMBUCA is entirely optional. If you wish to revoke your consent, you can do so at any time through our channels.

9. WHAT ARE THE USERS' RIGHTS?

9.1. Users have the following rights regarding their Personal Data, which can be requested through the Platform itself or by request through the service channels indicated in this Privacy Policy:

a) Access to Personal Data: Users can access their Personal Data and request a copy of the Processed Data;

b) Correction of incomplete, inaccurate, or outdated Data: Users can request alterations or corrections to their Personal Data that appear incorrect or to update registration data that have undergone changes;

c) Anonymization, blocking, or elimination of Personal Data: Users can request the anonymization, blocking, or deletion of unnecessary, excessive data, or processed in non-compliance with the provisions of Data Protection Legislation and for the purposes described in this Privacy Policy or the Terms of Use, with the exception of cases where there is a need to fulfill obligations or legal duties by Cumbuca, in which case this request may be declined;

d) Information on sharing: Users can request information about which public and private entities Cumbuca has shared their Personal Data with, under the terms of this Privacy Policy;

e) Information about the possibility of not consenting: Users have the right to be informed when there is a possibility to decide whether or not to consent to certain Processing of Personal Data, as well as the potential consequences of this decision, including in relation to the impossibility of providing Cumbuca's services;

f) Revocation of Consent and elimination of data collected based on consent: Users can, at any time and at their discretion, revoke previously provided consent for one or more Processing of Personal Data or request the deletion of data collected whenever the data was collected or used based on their specific consent. Other processing and processing carried out based on their consent up to that moment, however, will remain valid. 

9.2. It is important to highlight that the processing of Users' Personal Data by Cumbuca is based on providing services to the User and the necessity of fulfilling the rights and legal duties involved in this provision. Only in some cases will the User have a choice regarding granting or denying consent for any use of personal data. In these cases, Cumbuca will always be clear about the User's choices and their potential consequences, giving the User the opportunity to consent or not freely, unequivocally, and informed, as well as to revoke and request data deletion if they change their mind in the future, as mentioned above.  

9.3. The User may, by opening a request with Cumbuca's Support, verify the treatments of provided consent at any time and revoke the consent. If the revocation of consent for certain Processing of Personal Data leads to changes in functionalities or failure to continue offering services from Cumbuca to the User, they will be informed before deciding.

9.4. The rights mentioned above and others provided in applicable legislation can be exercised by the Data Holder directly through the Platform, according to functionalities available (such as, for example, tools for accessing and editing Personal Data) or through a request directed to Cumbuca's Data Protection Officer at the email: privacidade@cumbuca.com. Requests must contain at least the name of the Data Holder, the right to be exercised, details and specifications about the request, and the User's email address. Cumbuca reserves the right to request additional information or documents to prove the claims and the identity of the requester.

9.5. It is also important to note that, in several instances, Cumbuca may not be able to fulfill the deletion of personal data requested by the User. Such cases arise where the retention of User Data is necessary to fulfill obligations and legal duties, exercising and defending rights, and fulfilling pending duties between Cumbuca and the User. In these cases, the data necessary for these purposes will be maintained securely by Cumbuca until the necessary period ends. In case of doubt, inquire about the possibility of deleting your data from Cumbuca's Data Protection Officer at the email: privacidade@cumbuca.com.

10.DATA SECURITY

10.1. Cumbuca will do everything possible to keep Personal Data always secure and will adopt security measures and protections, technical and administrative, consistent with the nature of the Personal Data collected, used, stored, or otherwise processed by Cumbuca, in accordance with the appropriate market practices, as well as applicable laws and regulations. However, no method of electronic data transmission or retention is completely secure and may be subject to external attacks. Thus, Cumbuca cannot guarantee that such security measures are error-free or immune to interference from third parties (hackers, among others). By their nature, despite Cumbuca's best efforts, any security measure may fail, and any Personal Data may become public, and should this occur, Cumbuca will act in the best possible way to avoid or mitigate the risks or damages to the User.

10.2. Personal Data will be kept as long as necessary for the purposes outlined in this Privacy Policy, typically throughout the relationship maintained with the User and for an additional 5 to 10 years, to fulfill obligations and legal duties, exercising and defending rights, and fulfilling pending duties between Cumbuca and the User. Cumbuca adopts controls to ensure that Personal Data is retained only as long as truly necessary, being discarded once the Processing is concluded or no legal retention scenario applies and no further Processing purposes that justify its retention can be verified.

10.3. When we no longer need to use Personal Data, they will be removed from our systems and records or will be anonymized, so that the User can no longer be identified from this data.

11.INTERNATIONAL DATA TRANSFER

11.1. Cumbuca may share your personal data internationally with other companies located outside Brazil, which are relevant for enabling the provision of services to Users, according to applicable legislation, and in accordance with lawful purposes presented in this Privacy Policy. Sharing may occur when using network infrastructure services and other suppliers, such as cloud storage service providers. These suppliers receive your information for the specific purpose of providing services to Cumbuca.

12.COOKIES

12.1. Cumbuca uses Cookies and similar technologies, such as pixels and tags, to ensure that the services provided conform to our quality standards. Cookies collect only statistics and will not be used for purposes other than those expressly provided for in this Privacy Policy. 

12.2. A cookie is a small file added to your device or computer to provide a personalized access experience to the Platform. Cumbuca uses Cookies:

a) Necessary: Cookies that enable the use of the Platform and without which the Platform may not function properly. Since these Cookies are necessary, they are used based on the execution of the contract between Cumbuca and the User; 

b) Functional: Cookies that activate additional functions or allow access to certain specific sections of the Platform. The use of such Cookies is not absolutely necessary for using the service, but if you choose to disable them, the User may have reduced functionalities, so the use of these Cookies is based on your consent to activate such functions;

c) Performance: Cookies used to measure and improve the performance of a particular web page and specific contents contained on the page. The use of such Cookies is also not absolutely necessary for using the service. If you choose to disable them, it may impact the User's experience, so the use of these Cookies is based on your consent to activate such functions; and

d) Social Media: The Platform uses social media plugins, which enable access from the Platform. Thus, by doing so, the Cookies used by them may be stored in the User's browser. The use of such Cookies is not absolutely necessary for using the service, but if you choose to disable them, the User may have reduced functionalities, so the use of these Cookies is based on your consent to activate such functions. Each social network has its own privacy and personal data protection policy, with the individuals or entities maintaining them responsible for the Personal Data collected and the privacy practices adopted. The User can research, with the social networks, information on how their Personal Data is processed.

12.3. CUMBUCA DOES NOT HAVE ANY CONTROL OR RESPONSIBILITY OVER THIRD-PARTY SITES AND WILL NOT BE LIABLE FOR THE CONTENTS, PRACTICES, AND SERVICES OFFERED BY ANY THIRD PARTIES, NOR FOR THE TREATMENT GIVEN TO USERS' PERSONAL DATA BY THOSE SITES AND SOCIAL NETWORKS, EVEN WHEN THE LINKS ARE INCLUDED IN THE PLATFORM.

12.4. Browsers generally allow for the collection of Cookies to be disabled, including Cookies considered necessary. If this option is used, access to the Platform and Services may be compromised. If the User wants more information about the use of Cookies and similar tools by Cumbuca, they can contact Cumbuca's Data Protection Officer at the email: privacidade@cumbuca.com.

13.GENERAL PROVISIONS

13.1. In case of questions, suggestions, complaints, or clarifications about this Privacy Policy or the Processing of Personal Data by Cumbuca, or to request the exercise of any of the rights described in this Privacy Policy or in the Data Protection Legislation, the User can contact Cumbuca and its Data Protection Officer via the email: privacidade@cumbuca.com. Cumbuca will be pleased to clarify any doubts and/or fulfill your request.

13.2. Due to the ongoing evolution of Cumbuca's activities, this Privacy Policy and the Terms of Use may be modified. Cumbuca will send notifications to the User about substantial changes and modifications to these documents via email or any other means that ensures receipt. If the User does not agree with the changes to the Privacy Policy, they should refrain from using the Platform and may request the cancellation of their account, in accordance with the Terms of Use.