Login

Compliance, Legal & Corporate Governance

All Documents
Privacy Policy
Terms and Conditions
AML-FT Policy
Business Continuity Policy
Customer Identification, Qualification and Classification (KYC) Manual
KYE KVP and KYS Manual
Suspicious Operations and Situations Monitoring Manual
Liquidity policy of electronic currencies
Liquidity Contingency and Mitigation Policy
Code of Conduct
Compliance Policy
Internal Risk Assessment
Cybersecurity Policy
Money Laundering Prevention and Combating Terrorismo Financing Policy
Prohibited Activities and Sector

Privacy and Personal Data Protection Policy

1. DEFINITIONS

All capitalized terms in this Policy shall have the meanings listed below:

“Affiliate” means, in relation to FacilitaPay, any Subsidiaries, Parent Companies, companies under common control, and other companies that are part of its economic group;

“ANPD” means the National Data Protection Authority;

“BCB” means the Central Bank of Brazil;

“Client” means the individual who contracts the Products and Services;

“Collaborator” means any individual or legal entity that has a position, function, role, corporate, employment, professional, contractual, or trust relationship with Attrus;

“Control” when used in relation to a person, means (i) the ownership (direct or indirect) of partner, shareholder, or quota holder rights, held individually or jointly with a group of persons bound by a voting agreement (or any other nature of link) or under common control, which ensure, directly or indirectly, permanently, the majority of votes in the deliberations of the general assembly or similar deliberative body of a given person; and (ii) the power to elect the majority of the members of the board of directors, executive board, or other superior deliberative body, or to define the voting orientation within any person, whether by virtue of corporate participation, contract, or any other means. Terms derived from Control, such as “Subsidiary” and “Parent Company,” shall have a meaning analogous to Control;

“Personal Data” means all information related to an identified or identifiable natural person, as per Article 5, item I, of the General Data Protection Law, including, for the purposes of this Policy, by way of example, registration, biometric, contact, banking and financial data, transactional and payment method data, location, and internet browsing data;

“Data Protection Officer” means the person appointed by the controller and operator to act as a communication channel between the controller, data subjects, and the ANPD, as indicated in section 15 below and in Art. 5, item VIII, of the General Data Protection Law;

“ATTRUS” means Facilita Instituição de Pagamento S/A;

“General Data Protection Law” means Law No. 13,709, of August 14, 2018, as amended;

“Partners and Service Providers” mean individuals or legal entities that provide services of any nature to Attrus, commercial or not, paid or unpaid, on an occasional or permanent basis, including, but not limited to, participants in payment arrangements and other service providers in general;

“PEPs” mean: (i) holders of elective mandates of the Executive and Legislative Powers of the Union; (ii) occupants of positions in the Executive Power of the Union, of: (a) Minister of State or equivalent; (b) Special nature or equivalent; (c) president, vice-president and director, or equivalents, of entities of the indirect public administration; and (d) Senior Management and Advisory Group (DAS), level 6, or equivalent; (iii) members of the National Council of Justice, the Federal Supreme Court, the Superior Courts, the Federal Regional Courts, the Regional Labor Courts, the Regional Electoral Courts, the Superior Council of Labor Justice, and the Federal Justice Council; (iv) members of the National Council of the Public Prosecutor’s Office, the Attorney General of the Republic, the Deputy Attorney General of the Republic, the Attorney General for Labor, the Attorney General for Military Justice, the Deputy Attorneys General of the Republic, and the Attorneys General of Justice of the States and the Federal District; (v) members of the Federal Court of Accounts, the Attorney General and the Deputy Attorneys General of the Public Prosecutor’s Office at the Federal Court of Accounts; (vi) presidents and national treasurers, or equivalents, of political parties; (vii) Governors and Secretaries of State and the Federal District, State and District Deputies, presidents, or equivalents, of entities of the state and district indirect public administration, and presidents of Courts of Justice, Military Courts, Courts of Accounts or equivalents of the States and the Federal District; (viii) Mayors, City Councilors, Municipal Secretaries, presidents, or equivalents, of entities of the municipal indirect public administration and Presidents of Courts of Accounts or equivalents of the Municipalities; (ix) persons who, abroad, are: (a) heads of state or government; (b) senior politicians; (c) occupants of senior government positions; (d) general officers and members of higher echelons of the Judiciary; (e) senior executives of public companies; or (f) leaders of political parties; and (x) senior leaders of entities of international public or private law;

“Attrus Platform” has the meaning attributed in section 2 below;

“Privacy Policy” or “Policy” means this privacy and personal data protection policy;

“Products and Services” mean the following products and services: (i) offering of a pre-paid payment account for Clients (residents and non-residents) that enables payment transactions based on this account, including instant transactions through the PIX payment arrangement; (ii) issuance of pre-paid and virtual cards, for general use, which can be used by Clients in closed payment arrangements established by Attrus and/or open payment arrangements established by payment arrangement instituters; (iii) provision of international payment or transfer services (eFX) for Clients, enabling (a) the acquisition of goods and services, in Brazil or abroad, that occurs (1) in person; or (2) through a payment solution offered by Attrus  and integrated into an e-commerce platform; (b) unilateral transfers limited to US$10,000.00 (ten thousand US dollars) or its equivalent in other currencies; (c) transfer of resources between an account in Brazil and an account abroad of the same ownership, limited to US$10,000.00 (ten thousand US dollars) or its equivalent in other currencies; or (d) withdrawal in Brazil or abroad; (iv) spot foreign exchange operations for Clients of up to US$100,000.00 (one hundred thousand US dollars) or its equivalent in other currencies, except for transfers related to the negotiation of derivative instruments abroad; and (v) [automated billing system;

“Terms and Conditions” have the meaning attributed in section 2 below;

“Data Subjects” mean the Clients and/or legal representatives of legal entities that have contracted Products and Services, to whom the Personal Data that are subject to Processing refer, as per Art. 5, item V, of the General Data Protection Law, who allow us access to their Personal Data and/or who provide their Personal Data through relationship channels or public access, including, but not limited to, e-mail, telephone, video conferences, applications, or social networks; and

“Processing” means any operation carried out with Personal Data, such as those that refer to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction, as per Art. 5, item X, of the General Data Protection Law.

2. INTRODUCTION

Attrus, through this Privacy Policy, clarifies to Data Subjects who have Personal Data subject to Processing on its electronic platform available via website and/or mobile application (“Attrus Platform”), the aspects associated with the referred Processing of Personal Data, in accordance with applicable legislation and regulations.

Among other provisions, this Privacy Policy discusses the purposes, forms, and duration of Processing, the institution’s responsibilities, the rights of Data Subjects, and Attrus  contact channels.

By accessing and/or making any use of the Attrus  Platform or benefiting from any activities performed by Attrus  that require the Processing of your Personal Data, you fully agree, in a free, informed, unequivocal manner and without any defect of consent, to the provisions of this Privacy Policy.

You have the right not to provide your consent for the processing of your Personal Data. If you do not provide your consent, as a consequence, you will not have access to and/or be able to use the Attrus Platform and will not be able, by other means, to benefit from any activities performed by Attrus that require the Processing of Personal Data.

Therefore, we kindly request that you carefully read this Privacy Policy, along with our general terms and conditions of use (available online at “https://attrus.com”) (“Terms and Conditions”). For more information about Attrus, please access the following website: “https://attrus.com”. References in this Privacy Policy to “we” and “our” mean a reference to Attrus.

References to “systems”, “application”, “platform”, or “website” mean a reference to a service provided through our systems, including web and mobile, or any other online services provided by us and all data managed, displayed, or transmitted from such services. References to “you”, “your” mean a reference to a Data Subject.

Words, expressions, and abbreviations with initial capital letters, in singular or plural, will have the same meaning assigned to them in the Terms and Conditions, except if defined otherwise in this Privacy Policy.

3. SCOPE

This Privacy Policy is applicable and must be fully complied with, as applicable, by Attrus, all its Employees, Partners and Service Providers, as well as by the Data Subjects. This Privacy Policy is available on our website for reading and analysis by the Data Subjects. Attrus commits to disclose on relationship channels and on its website, as applicable, the content of this Privacy Policy or a mechanism to access it.

4. PERSONAL DATA SUBJECT TO PROCESSING

Attrus, as a fintech with an exclusively online presence specialized in offering Products and Services, performs the Processing of Personal Data in the context of its activities, including, without limitation, in the scope of collection, transportation, information processing, and transaction settlements.

In the context of its role as an electronic money issuing payment institution, to initiate the relationship with FacilitaPay, the Data Subject registers on the Attrus Platform and becomes the holder of a payment account at Attrus. In this context, the following Personal Data are subject to Processing:

(a) email address used for login on the Attrus Platform;
(b) chosen password for login on the Attrus Platform;
(c) full name;
(d) registration number in the National Register of Individuals of the Ministry of Finance (“CPF/MF”);
(e) contact phone number;
(f) date of birth;
(g) marital status;
(h) nationality;
(i) profession;
(j) copy of personal documents (identity card, national driver’s license, proof of residence, documents proving that the legal representative has powers to represent the contracting company);
(k) annual income (declaratory);
(l) bank account details;
(m) information regarding activities carried out on the Attrus Platform;
(n) responses to questionnaires suggested or required by Attrus;
(o) declaration regarding their classification as a PEP; and
(p) geolocation of the Client when accessing the Attrus Platform, as well as when using Attrus in app mode in the background.

As you use the Attrus Platform, Personal Data about you may be subject to Processing by Attrus, along with other additional information, such as your IP address, browser used, cookie information, cell phone type and brand, mobile device identifiers, operating system version, installed applications, network information, Internet connection provider used, device configuration, software data, communications made through the Attrus Platform, and communications made between you and Attrus through our service channels.

Upon completing the registration on the Attrus Platform and creating a prepaid payment account in your name, it will be necessary to add money to your wallet. If you want to transfer the balance from your payment account to a bank account, we will need the account details, the destination bank, account number, branch, and information about the account type.

In addition to the above, other information (including Personal Data) required by applicable law or regulation or at Attrus’s  discretion may be requested and required for analysis of Client profiles or for the purposes of formalizing the commercial relationship with Attrus and/or for the correct provision of Products and Services.

Attrus may also Process Personal Data that originate from secure and reliable sources, including public and private databases, as well as from any third parties, Affiliates, Partners, and Service Providers, such as:

(a) data collected for fraud prevention purposes and compliance with information regimes (PEP lists, OFAC, etc.);
(b) credit data obtained from databases, credit risk centers and/or publicly accessible sources, in accordance with applicable regulations and legislation; and
(c) data that serve to validate the identity of Clients obtained from public bodies, Partners and Service Providers, or other specialized business partners.

Attrus does not Process Personal Data of children or adolescents. If you fall into one of these categories, do not provide us with Personal Data or contact us (as provided in this Privacy Policy) so we can assess your situation and take the necessary.

5. STORAGE

Personal Data by Attrus may be stored on servers located in Brazil or abroad, at Attrus’s  sole discretion. You declare that you understand and agree that other countries may have different levels of Personal Data protection from Brazil. Nevertheless, your Personal Data that may be stored in other countries will be subject to security measures at least equivalent to those provided for in this Privacy Policy.

6. SHARED PROCESSING OF PERSONAL DATA

Third-party access to Personal Data collected by Attrus due to the offer of Products and Services will occur exclusively to meet the purposes described in this Privacy Policy and within the limit necessary for the offer, operationalization, and provision of such Products and Services in the normal course of Attrus’s  business. The main third parties with whom Attrus may share your Personal Data are:

(a) Attrus’s  Affiliates;
(b) payment arrangement institutions and other participants in such payment arrangements;
(c) Partners and Service Providers that have tools, algorithms, and systems aimed at credit analysis;
(d) electronic funds transfer networks;
(e) clearing and settlement banks;
(f) Partners and Service Providers that perform commercial operations and/or information processing for Attrus;
(g) independent auditors;
(h) credit analysis agencies (such as Serasa Experian and BoaVista), credit protection services, and similar;
and/or (i) competent regulatory bodies, such as the BCB.

Additionally, Attrus may share Personal Data in an aggregated form, publicly and/or with its Partners, as long as such information is not personally identifiable. For example, it may publicly share information to demonstrate trends in the general use of Attrus products and services.

In cases where the disclosure of Personal Data of Data Subjects is necessary, whether due to compliance with the law, court order, or competent supervisory body of activities carried out by Attrus and/or third parties, such Personal Data shall be disclosed only in strict terms and within the limits required for its disclosure, and the Data Subjects, to the extent possible and feasible, will be notified of such disclosure, so that they can take appropriate protective or remedial measures.

Whenever the Processing of Personal Data by Attrus becomes necessary for purposes other than those defined in this Privacy Policy or those expressly authorized by the Data Subject, Attrus will inform the Personal Data Subject about this new purpose and, when necessary, will collect a new authorization to carry out the specific Processing in this regard.

7. POSSIBLE SPECIFIC PURPOSES FOR THE PROCESSING OF YOUR PERSONAL DATA

By accepting this Privacy Policy, you consent that Attrus may use your personal data for the following specific purposes:

(a) verify and validate your identity;
(b) register you in our systems;
(c) comply with legal and regulatory obligations, including, without limitation, carrying out procedures for the prevention of money laundering and fraud;
(d) perform your credit risk analysis;
(e) contact you when necessary;
(f) provide support to you;
(g) communicate and send information to Data Subjects;
(h) generate statistical analyses and reports on the functioning and operation of the Attrus Platform, Products and Services, for the benefit of Attrus, its Affiliates, Partners and Service Providers;
(i) provide and improve security mechanisms and monitoring of the Attrus Platform and/or Products and Services;
(j) detect and protect Attrus and/or its Clients against fraud, abuse or illegal acts;
(k) detect and prevent the use of applications and programs for fraudulent purposes or that have the purpose of altering the functionalities of the Attrus Platform and the Services and Products provided by Attrus;
(l) develop new products, services, activities and/or functionalities;
(m) provide the Products and Services, as well as specific benefits that are contracted or requested by the Data Subjects;
(n) maintain records of transactions and foreign exchange operations carried out, as well as inform you about such and carry out appropriate monitoring;
(o) consult and make reports to credit protection agencies, perform commercial verification tasks and/or regarding credit risk, analyze the feasibility of maintaining a commercial relationship and prepare profiles for credit analysis purposes;
(p) conduct research;
(q) correct and/or update data;
(r) perform risk control;
(s) execute any provision contained in the Terms and Conditions, considering the activities carried out, and the Products and Services offered by Attrus;
(t) performance of one or more Attrus activities by other companies that are part of its economic group;
(u) carrying out operations involving Attrus (including, without limitation, corporate operations such as acquisition, incorporation, merger of shares, merger and/or spin-off) and requiring audits;
(v) to contact Data Subjects through different channels, such as email, text messages (SMS), for advertising and/or promotional purposes of Attrus Products and Services;
and (w) for compliance with any order from a competent authority, as well as for the defense of rights in judicial, administrative or arbitration proceedings.

You specifically consent that Attrus may carry out the international transfer of your personal data in accordance with the General Data Protection Law for the specific purposes provided for in this Policy, including, without limitation, for the purpose of contracting third parties that provide technical, systemic and/or operational infrastructure to Attrus and/or as a result of the conclusion of foreign exchange operations within the scope of the offer of Products and Services.

Your Personal Data will not be subject to Processing by Attrus for purposes other than those provided for in this Privacy Policy and/or legally authorized, as indicated in sections 6 and 7 above and in the General Data Protection Law. Attrus will not share Personal Data in order to obtain remuneration due to such sharing.

8. RESPONSIBILITIES AND MEASURES ADOPTED BY ATTRUS

Attrus adopts security, technical, and administrative measures with the aim of protecting the Personal Data of Data Subjects from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inadequate or illicit Processing, including after the termination of processing of said Personal Data, in accordance with current legislation.

In this context and aiming at the security of Personal Data information provided by Data Subjects, Attrus has physical, logical, technical, and administrative security processes compatible with the sensitivity of the information collected, whose efficiency is periodically evaluated by independent auditing. Attrus implements new procedures and continuous technological improvements to protect all Personal Data collected from Data Subjects.

Notwithstanding the security measures mentioned above, Attrus is not responsible for losses resulting from the breach of confidentiality of Personal Data due to the occurrence of any fact or situation that is not directly attributable to it. In processing the information collected, Attrus uses systems structured to meet security and transparency requirements, good practice and governance standards, and the general principles established in the General Data Protection Law and in the market.

Administrators, Employees, and third parties related to Attrus must observe and ensure compliance with this Privacy Policy and, when necessary, contact the Data Protection Officer for consultation on situations that involve conflict with this Policy and upon the occurrence of situations described therein.

The compliance area and the Data Protection Officer shall (i) keep this Privacy Policy updated to ensure that any regulatory and/or legal changes to the guidelines and general rules established herein are observed; (ii) be responsible for clarifying doubts regarding this Privacy Policy and its application; (iii) analyze complaints and communications from Personal Data Subjects, provide clarifications, and take measures; (iv) receive communications from the ANPD and take measures; (v) guide Attrus Employees and Third Parties, as applicable, regarding practices to be taken in relation to Personal Data protection; (vi) adopt initiatives for sharing information about incidents containing Personal Data with the ANPD and with data subjects, when necessary; and (vii) clarify doubts regarding relevant legislation and regulations.

Attrus will maintain records of the Processing operations of your Personal Data, in compliance with the provisions of the General Data Protection Law.

Attrus requires all Employees and Service Providers to maintain the confidentiality of Personal Data shared with them or that they have access to by virtue of exercising their activity, as well as to use such information exclusively for expressly permitted purposes. Attrus will not be responsible for the misuse of such information, either by third parties or by its employees, due to non-compliance with this Privacy Policy and the contractual obligations assumed by said third parties with Attrus through their own instruments.

9. YOUR RIGHTS

Without prejudice to other rights expressly provided for in this Privacy Policy, subject to the existence of applicable law in this regard, you have the right, in relation to your personal data, at any time and upon request to Attrus:

(a) to confirm the existence of Processing of your Personal Data;

(b) to access your Personal Data collected by Attrus;

(c) to anonymize, block or delete unnecessary, excessive data or data processed in non-compliance with the provisions of applicable law;

(d) to demand, through express and specific request, the portability of Personal Data to another service or product provider, as applicable, in accordance with applicable regulations;

(e) deletion of personal data processed with the Client’s consent, except in cases of (i) compliance with legal or regulatory obligation by Attrus, (ii) study by a research body, ensuring, whenever possible, the anonymization of personal data, (iii) transfer to a third party, provided that the processing requirements set forth in applicable legislation are respected, or (iv) exclusive use by Attrus, with access by third parties prohibited, and provided that the data is anonymized;

(f) to obtain information about the public and private entities with which Attrus has shared Personal Data;

(g) information about the non-provision of consent by the Client and consequences of its refusal;

and (h) to revoke your consent.

10. CORRECTION OF PERSONAL DATA

In addition to the provisions in the section above, you have the right to, upon request to Attrus, obtain the correction of Personal Data that is proven to be incomplete, inaccurate, and/or outdated.

11. REVOCATION OF CONSENT AND DELETION OF PERSONAL DATA

If you wish to revoke the consent granted under the terms of this Privacy Policy or delete your Personal Data from Attrus’s  database, you must request the revocation of consent or the deletion of your Personal Data directly from Attrus. Uninstalling the application (when using the Attrus Platform in its app mode) is not sufficient to revoke your consent and/or delete your Personal Data from Attrus’s  database.

Attrus will store your request for revocation and/or deletion and, after the end of the Processing period of your Personal Data, will provide for the destruction or anonymization, at Attrus sole discretion, of information capable of identifying you, without prejudice to the possibility of conservation and use of your Personal Data for legal and regulatory purposes by Attrus. Additionally, in cases where Attrus is acting exclusively as a Personal Data operator, the above rights must be exercised directly with the controller, i.e., the natural or legal person, under public or private law, who is responsible for decisions regarding the Processing of Personal Data.

12. OTHER FORMS OF PROCESSING YOUR PERSONAL DATA

Regardless of any provision to the contrary in this document, by accepting this Privacy Policy and other Terms and Conditions, you acknowledge that Attrus or one of its Affiliates may Process your Personal Data in any form provided by law, as long as it is for the specific purposes set forth in this Privacy Policy and/or by law, including, without limitation, in the cases provided for in Article 7, items V and X of the General Data Protection Law.

13. PERIOD AND TERMINATION OF THE PROCESSING OF YOUR PERSONAL DATA

The Processing of your Personal Data will have as its term the period between: (i) the date of acceptance of this Policy and the Terms and Conditions, and (ii) (a) the date on which Attrus has received the revocation of your consent in relation to this Privacy Policy or (b) in the event that Attrus has received the revocation of your consent but there are still outstanding amounts owed by you to Attrus as a result of the Products and Services, on the date that Attrus has effectively received all amounts owed by you.

14. CONSENT FOR THE PROCESSING OF YOUR PERSONAL DATA

You consent, freely, informedly, unequivocally and without any defect of consent, to the collection, storage, use, processing, association, sharing, disclosure and other forms of Processing of your personal data for any and all purposes provided for in this Privacy Policy.

By accepting this Privacy Policy, you acknowledge that you have perfectly and clearly understood the possible specific purposes that may support the processing of your personal data by Attrus.

Mediante a aceitação da presente Política de Privacidade, você reconhece que entendeu perfeita e claramente as possíveis finalidades específicas que podem amparar o tratamento de seus dados pessoais pela Attrus.

15. DATA PROTECTION OFFICER

Attrus has a Data Protection Officer responsible for Personal Data Processing, as established in the General Data Protection Law. The identity and contact information of the Officer are described on Attrus’s  website, which is: “https”//attrus.com”.

The Officer can be contacted through the means indicated above.

16. CHANGES TO THIS PRIVACY POLICY

We may update or modify this Privacy Policy from time to time to comply with applicable legislation or to adapt it to our business changes. Any relevant changes to this Privacy Policy will be previously informed on the Attrus Platform. By continuing to use the Attrus Platform after being notified, you agree to remain bound by the most updated version of the terms and conditions of this Privacy Policy.

Certain changes to this Privacy Policy may require your consent as per the law in force. If you do not agree with these changes, you have the right to deny your consent, in accordance with the provisions of this Privacy Policy.

17. OTHER IMPORTANT CLAUSES

A nulidade ou invalidade de qualquer das disposiçThe nullity or invalidity of any provisions of this Privacy Policy will not affect the validity and effectiveness of its other clauses and/or any clauses of the Terms and Conditions. If any judicial decision pronounces on the invalidity or ineffectiveness of any of the provisions of this Privacy Policy, Attrus will replace the impugned rule with another that, being lawful, allows the practical results initially intended to be achieved to the greatest extent possible.

All waivers, indemnities, and exclusions in this Privacy Policy will survive the termination of the agreement between us for any reason.

We may, in whole or in part, compromise, waive, or postpone, at our absolute discretion, any liability assumed by you towards us or right granted to us in this Privacy Policy, without in any way prejudicing or affecting our rights in respect of this Privacy Policy.

You and Attrus acknowledge that: (i) the non-exercise, by either of them, or the delay in exercising any right assured to them by this instrument or by law will not constitute a novation or waiver of such right, nor will it prejudice the eventual exercise of said right, at any time; and (ii) the waiver, by either party, of any of the rights or powers provided for in this instrument will only be valid if formalized in writing.

Attrus may assign, transfer, novate or not exercise any of its rights arising from this Privacy Policy, by itself or through any legal entity and/or other legal entity that is or may come to be under the control or shareholding of Attrus.

This Privacy Policy is governed by the laws of the Federative Republic of Brazil.

This Policy and Attrus’s  Terms and Conditions come into effect on August 6, 2024.