This Policy has the purpose of clearly and fully informing how the USER’s Personal Data will be Processed, as a result of the use of the Services provided by the PARTNER together with FLAGSHIP.
The PARTNER discloses its Policy to protect the USER’s privacy, ensuring that the Personal Data Processing will only serve to enable the provision of the Services or for other purposes set forth in this Policy.
When using the Services of the PARTNER and the Payment Institution, in accordance with the conditions set forth in the Agreement, the USER declares that he/she/it is aware of this Policy and the way in which his/her/its Personal Data will be Processed by the PARTNER and the Payment Institution. If the USER does not agree with the Processing of his/her/its Personal Data, as set forth in this Policy, he/she/it shall refrain from Registering in the Payment System and from using the Services of the PARTNER together with the Payment Institution.
If the USER does not want to disclose his/her/its Personal Data or requires its deletion, the Registration in the Payment System may be denied and/or the provision of the Services may be limited, since the use of Personal Data is necessary for these purposes.
If the USER is a legal entity, some conditions set forth in this Policy may not be applicable, pursuant to the Applicable Legislation, or will apply to the individuals responsible for the direct use of the Payment System.
For more information about the use of the Services provided by the PARTNER together with the Payment Institution, the USER must consult the Agreement. The PARTNER together with the Payment Institution may change the conditions of this Policy from time to time, provided that the updated version may be consulted, at any time, by the USER on the Platform or other means made available by the PARTNER together with the Payment Institution.
1.1. Without prejudice to other definitions contained in this Policy or in the Agreement, the words and expressions used with the first capital letter will have the following definitions:
“Registration”: personal data and other information, requested by the PARTNER or by the Payment Institution, necessary for the accreditation and maintenance of the USER in the Payment System.
“Agreement”: agreement that regulates the rules, conditions and limits of the Services provided by the PARTNER together with the Payment Institution to the USER due to the use of the Payment System.
“Anonymized Data”: Personal Data that, alone or together with Technical Usage Data, Device Information and/or Geographic Location, do not allow the identification of the USER, considering the use of technical means available at the time of its Processing.
“Technical Usage Data”: information that the PARTNER or the Payment Institution processes due to the use of a mobile device, computer or other device that the USER uses to access the Platform and the Payment System. The Technical Usage Data shows how the USER uses the services provided by the PARTNER together with the Payment Institution, including the IP (Internet Protocol) address, statistics on how pages are loaded or viewed, the websites the USER has visited and browsing information collected through Cookies or similar technology.
“Personal Data”: personal information associated with the USER as an identified or identifiable individual. They may include the name of an individual, company or corporate name of a legal entity to which it is related, self-portrait, address, telephone number, email, name and number of the banking institution, branch number, current or savings account number (“Bank Account”), date of birth, mother’s full name, number or copy of official documents (for example, RG (Identity Card), CNH (National Driving License), CPF (Individual Taxpayer’s Register), among others). Technical Usage Data and Device Information will be considered Personal Data when used to individualize the USER or whenever possible to identify the USER.
“Device Information”: data that may be collected automatically from any device used to access the Platform. Such information may include, but is not limited to, the device type, device network connections, device name, device IP address, device browser information and the Internet connection used to access the Platform.
“Applicable Legislation”: all legislation in force, applicable on information security, privacy and data protection, including, but not limited to, Law No. 13,709/2018 – General (Personal) Data Protection Law, Law No. 12,965/2014 – Brazilian Civil Rights Framework for the Internet, Law No. 8,078/1990 – Consumer Protection Code, Supplementary Law No. 166/2019 – Positive Credit Registry Law (Lei do Cadastro Positivo), Law No. 12,527/2011 – Access to Information Law, Decree No. 7,962/2013 – E-Commerce Decree and other laws and regulations applicable to the Payment System.
“Geographic Location”: information that identifies the USER’s location through, for example, latitude and longitude coordinates obtained by GPS, Wi-Fi or mobile location triangulation. The Platform may request permission to share the USER’s current location. If the USER does not consent to the collection of the Geographic Location information, the Payment System may not operate properly.
“Service Providers”: service providers whose system is integrated with the Payment System, to enable the execution of certain Services.
“Services”: services provided by the PARTNER together with the Payment Institution to the USER, in accordance with the conditions set forth in the Agreement.
“Payment System”: technology provided by the Payment Institution, and which is integrated with the Service Providers’ systems, including the PARTNER, to enable the provision of the Services to the USER.
“Transaction”: operation in which the USER makes or receives payments through the payment instruments available in the Payment System.
“Processing”: any operation carried out with the USER’s Personal Data, due to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, diffusion or extraction.
“USER”: legal entity or individual (including representatives, delegates or agents authorized to execute the Transactions) that provides their Personal Data for Processing by the PARTNER and the Payment Institution, due to the Services provided through the Payment System.
2. Obtaining Personal Data
2.1. The PARTNER and the Payment Institution Process the minimum Personal Data necessary for the use, by the USER, of the set of Services provided through the Payment System, in order, in accordance with the Agreement, to enable the:
(a) Opening of a payment account (“Payment Account”) and the execution of Transactions;
(b) Receipt of funds due to payment with a credit or debit card (“Card”) through the payment arrangements established by the brands accepted in the Payment System;
(c) Execution of instant payments within the scope of the PIX, in accordance with the rules established by Bacen (“Instant Payments”); and/or
(d) Issue of a prepaid card (“Prepaid Card”) by an Issuer.
2.2. For accreditation to the Payment System, the USER shall provide the Personal Data requested in the Registration, so that the USER can be properly identified. The Registration only requests the data necessary for the provision of the Services by the PARTNER together with the Payment Institution.
2.2.1. In order to prevent fraud and guarantee the authenticity of the Personal Data provided, other information not included in the Registration may be requested, as well as the sending of photos or copies of documents that allow the confirmation of the data provided by the USER. In this case, the USER will be contacted directly. Such information and additional documents may be stored by the PARTNER and the Payment Institution for the time necessary to guarantee the integrity and reliability of the use of their Services by the USER.
2.2.2. In addition, the PARTNER and the Payment Institution may consult the information available in public or private databases, including credit bureaus.
2.2.3. The PARTNER and the Payment Institution will also request the USER’s financial data that are necessary for the provision of the Services, and which may include, as applicable: (i) the identification data of the Bank Account held by the USER; (ii) information about the Transaction; and (iii) other information associated with the Transaction, such as the origin of the funds and the reasons for its execution.
2.3. If the USER is indicated by a commercial partner of the Payment Institution, his/her/its Personal Data may be shared directly by the partner, in order to facilitate the Registration in the Payment System. The sharing of Personal Data will take place for the fulfillment and execution of the Agreement, in accordance with the Applicable Legislation.
2.4. In accordance with the Applicable Legislation, the strict principles of purpose, suitability, necessity, free access, data quality, transparency, security, prevention, non-discrimination and accountability will be observed in the Personal Data Processing.
2.4.1. Before completing the Transaction requested by the USER in the Payment System, the PARTNER and the Payment Institution may request additional documents and information that are necessary for the identification and prevention of situations of fraud, money laundering or irregular destination of funds. Such additional information and documents may be stored by the PARTNER and the Payment Institution for the time necessary to ensure compliance with the legislation and the fraud prevention and anti-money laundering policy of the PARTNER and the Payment Institution.
2.4.2. Personal Data may include the USER’s financial condition, which will be collected, stored and shared to verify the credit score and monitor the CPF or CNPJ enrollment status.
2.5. The PARTNER’s Platform may use USER’s Device Information, Technical Usage Data and Geographic Location.
2.5.1. In addition, the PARTNER’s Platform may use “Cookies” (files recorded on USER’s device to obtain browsing information within the website), for the purpose of identity confirmation and analysis of browsing behavior, in order to improve security and identify problems and difficulties in using the Platform. If the USER does not agree with its use, he/she/it may disable the use of such feature in the options of his/her/its browser to refuse the receipt of Cookies and remove them at any time. The USER shall verify the options and tools available in the software used.
3. Use of Personal Data
3.1. The PARTNER and the Payment Institution will Process USER’s Personal Data, Technical Usage Data, Device Information or Geographic Location to operate the Payment System and to provide the Services, including, but not limited to, the following situations:
(a) Register and authenticate the USER’s access to the Platform;
(b) Communicate with the USER about the Registration, use of the Payment System or provision of the Services;
(c) Send or request payments, due to the Transactions carried out by the USER in the Payment System;
(d) Carry out the USER’s credit and financial reputation verification;
(e) Keep the USER’s Personal Data up to date;
(f) Carry out the USER’s identity verification to manage risks and protect the Payment System against frauds;
(g) Classify the USER, as well as monitor and analyze his/her/its behavior when using the Payment System, in order to prevent frauds and illegal acts, including in the case of a politically exposed person;
(h) Create the USER’s connection with the Service Providers’ system;
(i) Carry out and promote marketing campaigns and improvement of the Services or the experience in using the Payment System;
(k) Promote offers of specific products or services – if the USER chooses to share his/her/its Personal Data – through the provision of advertisements, search results and other personalized content; and
(l) Comply with the obligations set forth in the Agreement, in the Applicable Legislation and/or laws and rules arising from regulators.
3.1.1. The PARTNER and/or the Payment Institution may collect, store and share the USER’s Personal Data whenever there is a need for the PARTNER and/or the Payment Institution in such use or when it is necessary for the provision of the Services, compliance with legal or regulatory duties imposed on the PARTNER and the Payment Institution or the exercise and defense of PARTNER’s, Payment Institution’s or third parties’ rights.
3.1.2. The PARTNER and the Payment Institution may share Personal Data with group companies and/or Service Providers that are part of the Payment System, when necessary for the provision of the Services contracted.
3.2. The USER’s Personal Data will be shared by the PARTNER and the Payment Institution with other USERS and Service Providers, through a secure network, limited only to what is necessary to identify the USER and the Transaction carried out through the Payment System.
3.3. The USER’s Personal Data will also be shared by the PARTNER and the Payment Institution with third parties engaged to provide computing services, data transfer and cloud hosting, credit protection services, fraud analysis tools and anti-money laundering analysis tools; provided that these third parties keep the same privacy and security standard applied by the PARTNER and the Payment Institution and are contractually compelled not to access the content or share the Personal Data, except upon express order from the PARTNER and/or the Payment Institution.
3.3.1. Personal Data will be collected in Brazil and may be transferred to another country, in which the company responsible for hosting is based and/or maintains its servers. In this case, the PARTNER and the Payment Institution will ensure that the foreign recipient provides the Personal Data protection level required in this Policy, in line with the Applicable Legislation.
3.4. The USER’s Personal Data and the data of the Transactions carried out in the Payment System may be used by the PARTNER and/or the Payment Institution to prepare research and statistics aimed at analyzing the efficiency of the Payment System, number of USERS, the amount of Transactions carried out in the Payment System, among others; provided that such information is converted into Anonymized Data or in the form of total amounts for the creation of statistics, in order to preserve the individuality and identification of the USER.
3.5. Except as set forth in this Policy, and unless otherwise provided for in the Applicable Legislation, the PARTNER and the Payment Institution will not disclose or share the USER’s Personal Data with third parties.
4. Instant Payments using PIX
4.1. In order to carry out Transactions through the PIX, the USER may request the registration of a Pix Key linked to his/her/its Payment Account or Bank Account, and the USER must have the ownership of the Pix Key chosen – with the exception of the random key – and give his/her/its consent to such registration.
4.1.1. By registering a Pix Key, the USER declares that he/she/it is aware that third parties, with which the USER may carry out Transactions through the PIX, will visualize, for each Transaction, his/her/its name, Pix Key identification data and the name of the Institution of Payment and the Service Providers involved.
4.1.2. For the purposes of this Policy:
“Pix Key”: information indicated by the USER to identify his/her/its Payment Account or Bank Account within the scope of the PIX arrangement, through: (i) CPF or CNPJ number (as applicable); (ii) mobile number; (iii) email address; or (iv) random key (sequence of letters and numbers randomly generated by Bacen), freely chosen by the USER. The use of the Pix Key makes possible to obtain information about paying and receiving users stored in the Directory of Transactional Account Identifiers (“DICT”) managed by Bacen, in order to facilitate the process of initiating Instant Payment Transactions and to mitigate fraud risk within the scope of the PIX.
“PIX”: payment arrangement that governs the provision of services related to Instant Payment Transactions, the rules and conditions of which are established by Bacen.
4.2. The USER declares that he/she/it is aware that, under the terms of the PIX Regulations and other rules established by the Central Bank of Brazil (“Bacen”), the Payment Institution will be responsible for carrying out Instant Payment Transactions, through the transmission of Personal Data and the Transaction to the Service Provider responsible for the settlement within the scope of PIX.
4.2.1. In order to carry out Instant Payment Transactions, the USER expresses its express interest in collecting, processing and transmitting its Personal Data to the Service Provider, which, as a direct participant, will be responsible for settling the Transactions before PIX.
4.3. The USER also authorizes the PARTNER and the Payment Institution to carry out the collection, Processing and transmission, to the Service Provider with access to the DICT, to carry out the Registration, deletion and claim of Pix Keys.
4.3.1. The execution, by the USER, of the registration to register his/her/its Pix Key implies the prior statement for the registration of Pix Keys in the DICT. Such statement will be confirmed, and the registration of the Pix Key will be carried out in the DICT, in case the USER does not delete his/her/its Pix Key in the Payment System of the PARTNER and the Payment Institution.
5. Issue of Prepaid Card
5.1. The USER may, under the terms of the Agreement, request a Prepaid Card that will be issued by a partner-issuer of the Payment Institution (“Issuer”).
5.2. When requesting the issue of a Prepaid Card, the USER expressly authorizes the PARTNER and the Payment Institution to share his/her/its Personal Data with the Issuer, as well as declares that he/she/it is aware and agrees that the PARTNER and the Payment Institution will have access to all financial data resulting from the Transactions carried out with the Prepaid Card.
5.3. The Issuer will Process the USER’s Personal Data and may:
(a) Adopt procedures to ensure due diligence in the USER’s identification, qualification and classification;
(b) Execute verification of the USER’s status as a politically exposed person;
(c) Collect information about the USER’s income and/or billing; and
(d) Monitor the Transactions carried out by the USER in order to identify suspected money laundering and/or terrorism financing.
5.3.1. The Issuer may request further information and documents, in addition to those informed in the Registration, to enable the issue of the Prepaid Card.
6.1. The USER’s email, informed when completing the Registration, will be used as a means of communication by the PARTNER and the Payment Institution, only for the request of documents and Personal Data, as well as for communication about the Services provided.
6.2. The USER may, at any time, choose not to receive newsletters, promotional and marketing materials upon express request to the PARTNER and/or the Payment Institution, in which case only maintaining the sending of messages related to the provision of the Services contracted.
6.3. The PARTNER and the Payment Institution do not use third-party services to send emails on their behalf. If the USER receives an email that he/she/it believes was not sent by the PARTNER and/or the Payment Institution, he/she/it shall refrain from taking any action and shall immediately contact the PARTNER and/or the Payment Institution to confirm its authenticity.
6.4. The USER declares that he/she/it is aware that, in order to verify the execution of any Transaction in the Payment System, he/she/it shall access the PARTNER’s Platform; the simple receipt of any communication by other means (including email, WhatsApp, telephone and SMS) not serving as evidence.
7.1. The Personal Data collected by the PARTNER and/or the Payment Institution is stored on secure servers, in an encrypted form, using constantly updated information security measures. Personal Data will be kept confidential and all possible measures against loss, theft, misuse, alteration and unauthorized access will be adopted.
7.2. Personal Data related to the Registration and execution of Transactions in the Payment System will be stored as long as the USER maintains an active Registration and uses the Services of the PARTNER and/or Payment Institution, for as long as necessary to achieve the purposes related to the Services, including for the purpose of complying with any legal, regulatory, contractual, accountability obligation or request by the relevant authorities.
7.2.1. Personal Data will be stored for a minimum period of five (5) years counted as from the termination of the Agreement, or such other period as may be determined in the Applicable Legislation.
7.3. The PARTNER and the Payment Institution employ advanced security standards in order to ensure the protection of the Personal Data and to provide a secure environment for carrying out the Transactions, through the adoption of practices related to information security, such as Users’ authentication, strict access control, encryption of the Personal Data and contents of the Transactions, prevention and detection of intrusion and unauthorized access, prevention of information leakage, periodic testing and scanning to detect vulnerabilities, protection against malicious software, traceability mechanisms, access controls and computer network segmentation, maintenance of backup copies of the Personal Data, among others.
7.3.1. Although the PARTNER and the Payment Institution are dedicated to protecting the Payment System, the USER is responsible for protecting and maintaining the confidentiality of his/her/its Personal Data.
7.3.2. The PARTNER and the Payment Institution are not responsible for Personal Data that the USER shares with third parties. Thus, it is important that the USER adopts a safe behavior, identifying and avoiding situations that may threaten the security of his/her/its Personal Data.
7.3.3. If the USER uses his/her/its Personal Data on third-party websites or services, the responsibility for protecting and storing the Personal Data will lie with the providers of such services; the USER being responsible for paying attention to the content of the privacy policies applicable to the use of third-party websites or services.
7.4. To the extent of the Applicable Legislation, the PARTNER and the Payment Institution are not responsible for illegal violations of their Payment System, which may compromise their database and the USERS’ Personal Data, as well as are not responsible for the misuse of the Personal Data fraudulently or illegally obtained.
7.5. In case of suspected or confirmed violation of the Payment System or loss of USER’s Personal Data, the PARTNER and the Payment Institution will use their best efforts and take immediate measures to eliminate or reduce the risks of damages to the USERS, and will inform the USERS potentially affected and the relevant authorities of such fact, the risks involved and the necessary measures to avoid such damages.
7.6. If the Agreement is terminated by the USER, the PARTNER and/or the Payment Institution may use and disclose the USER’s Personal Data in accordance with this Policy.
8. USER’s Rights
8.1. The USER is allowed, at any time, within the limits of the Applicable Legislation, to exercise the following rights over his/her/its Personal Data (“Rights”):
(a) Right to confirm the existence of processing of his/her/its Personal Data.
(b) Right to access the Personal Data processed.
(c) Right to correct any incomplete, inaccurate or outdated Personal Data.
(d) Right to block, delete or anonymize Personal Data that is unnecessary, excessive or processed in violation of the legislation, as well as to oppose to the processing of the Personal Data in these same situations.
(e) Right to port (portability) his/her/its Personal Data to another company, to the extent required by official regulations on such matter.
(f) Right to obtain information from public and private entities with which his/her/its data was shared.
(g) Right to be informed about the possibility of not providing his/her/its consent and about the consequences of such denial, in cases where his/her/its Personal Data is collected and processed upon consent, as well as the right to delete, when required, the Personal Data collected upon his/her/its consent, pursuant to the applicable legislation, and the right to revoke his/her/its consent to collect and process data in these same cases.
8.2. The USER may, at any time, exercise the Rights ensured in this Policy or provided for in the Applicable Legislation, upon express request to the PARTNER and/or the Payment Institution, through the service channels indicated in this Policy.
8.2.1. The USER’s request shall be made in writing and accompanied by a proof of identity. The PARTNER and/or the Payment Institution may contact the USER to confirm his/her/its identity before fulfilling the request.
8.2.2. Confirmations of the existence of Personal Data Processing will be provided, in simplified format, within a period of up to fifteen (15) days. For other requests, the PARTNER and/or the Payment Institution may submit its/their response within a period of thirty (30) days, which may be extended depending on the nature and complexity of the request.
9.1. This Policy will be reviewed, from time to time, by the PARTNER together with the Payment Institution to adapt it to the provision of the Services, by excluding, modifying or inserting new sections and conditions.
9.2. The changes shall be informed to the USER upon disclosure of an updated version of this Policy.
9.3. If the USER does not agree with the changes, he/she/it may request the termination of the Agreement with the PARTNER, as set forth thereof.
9.4. Upon the Registration and/or use of the Payment System and the Services of the PARTNER together with the Payment Institution by the USER, it will be construed that the USER is aware of the current version of the Policy and does not oppose to the use of his/her/its Personal Data as described therein, including the latest changes made, which will become fully applicable.
10. Clarification of Doubts
10.1. Any doubts regarding this Policy may be sent to the Data Protection Officer of the PARTNER and/or the Payment Institution, to email@example.com or through the PARTNER’s website.