privacy policy

This Privacy Policy ("Policy") applies to all services provided by ADIQ INSTITUIÇÃO DE PAGAMENTO S/A, a legal entity under private law, enrolled with CNPJ (corporate taxpayer number) 20.520.298/0001-78, located at Alameda Vicente Pinzon, nº 51, 10th and 11th floors, Vila Olímpia, São Paulo, SP, ZIP Code: 04547-130, ("ADIQ"), in connection with the use the CARDHOLDER makes of Services provided by ADIQ.

Introduction

This Policy aims at clearly and comprehensively informing about potential CARDHOLDER Personal Data Processing, in connection with the use of Services provided by ADIQ.

ADIQ announces its Policy to protect CARDHOLDER privacy, ensuring Personal Data Processing will enable Service provision and/or other purposes established in this Policy.

By using ADIQ Services, according to the terms and conditions established in the corresponding Service Agreement, the CARDHOLDER states and warrants he/she is aware of this Policy. In case the CARDHOLDER does not agree with Personal Data Processing as established in this Policy, he/she shall not use ADIQ Services.

The CARDHOLDER may always choose not to inform his/her Personal Data, or request removal. However, it is worth pointing out that, in this case, ADIQ will not be able to register the CARDHOLDER and/or provide thorough Services and/or will only be able to provide limited Services.

Pursuant to and consistent with the applicable law, some provisions in this Policy do not apply to legal entity CARDHOLDERS, only to individual CARDHOLDERS.

For further information on the use of Personal Data in Service provision by ADIQ, the CARDHOLDER shall refer to the corresponding Service Agreement and interpret it in combination with this Policy. In case you have any question, contact ADIQ in the channels mentioned in this Policy.

ADIQ may change the conditions in this Policy from time to time, and the updated version will be available for reference in the following link: https://www.adiq.com.br/en/privacy-policy/

1. Definitions

1.1. Without prejudice to other definitions found in this Policy or in the corresponding service provision Agreements, the words and expressions starting with a capital letter shall assume the following definitions:

“Registration”: an internal registration made by ADIQ of identifying data and other information needed to make the Services available to CARDHOLDERS.

“Service Agreement”: a contract that governs the rules, conditions and limits of Services provided by ADIQ to CARDHOLDERS.

“Anonymized Data”: CARDHOLDER data that cannot be identified, considering the use of reasonable technical methods available during data processing.

“Technical Use Data”: information ADIQ may process as a consequence of using mobiles, computers or other devices CARDHOLDERS may use to access the Platform or other Services provided by ADIQ. Technical Use Data show technical information of the Services provided by ADIQ, including IP (Internet Protocol) address, statistics on how pages are loaded or viewed, the Websites visited by CARDHOLDERS and navigation data collected through Cookies or similar technology.

“Personal Data”: information concerning CARDHOLDERS as individuals, including representatives of identified or identifiable legal entities. It may include name, selfie, street address, telephone number, email, birth date, mother’s full name, number or copy of official documents (i.e.; ID, driver’s license, CPF, CNPJ, among others). CARDHOLDER

“Device Information”: data that can be automatically collected from any device used to access the Platform. This data may include, but is not limited to, the type of device, device network connections, device name, device IP address, information about the device browser, Internet connection used to access the Platform. For mobile devices, the information may include, but is not limited to, IMEI, serial number, device model, operating system version, carrier.

“Applicable Law”: all applicable law concerning information security, data privacy and protection, including, but not limited to, Law nº 13,709/2018 – General Law on Protection of Personal Data, Law nº 12,965/2014 – Civil Rights Framework for the Internet, Law nº 8,078/1990 – Consumer Protection Code, Complementary Law nº 166/2019 – Positive Registry Law, Law nº 12,527/2011 – Access to Information Law, Ordinance nº 7,962/2013 – E-commerce Ordinance and other laws and standards applicable to the Payment System.

“Geographic Location”: information that identifies CARDHOLDERS locations based, for instance, on latitude and longitude coordinates obtained by GPS, Wi-Fi or mobile location triangulation. The Platform may request permission to share CARDHOLDERS current location. In case CARDHOLDERS do not agree with providing Geographic Location data, the Services may not work properly.

“Service Providers”: possible service providers whose system is integrated with ADIQ to enable Service provision.

“Services”: services provided by ADIQ to CARDHOLDERS, according to the terms and conditions established in the Service Agreement.

“Payment System”: a payment system made available by ADIQ for capture, processing and settlement of a Payment Transaction.

“Payment Transaction”: operation in which CARDHOLDERS make or receive payments using the payment methods available in the Services provided.

“Processing”: all operations conducted with CARDHOLDERS Personal Data and/or Sensitive Data, concerning data collection, production, receiving, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, removal, assessment or control, modification, communication, transfer, diffusion or extraction.

“CARDHOLDER”: a legal entity or individual (including representatives, or agents authorized to carry out Payment Transactions) who provides their Personal Data to receive the Services provided by ADIQ.

2. Obtaining personal data

1. While providing Services, ADIQ can Process CARDHOLDERS Personal Data, according to the Services Agreement, to enable, for instance:

(a) Opening a payment account (“Payment Account”) and making Payment Transactions.

(b) Receiving resources from payments using credit or debit cards (“Card”) though payment arrangements set by the brands accepted in the Payment System.

(c) Making PIX instant payments, according to the rules established by Bacen (“Instant Payments”); and/or

(d) Having pre-paid cards (“Pre-paid Card”) issued by an Issuer.

2. In order to use the Services provided by ADIQ, CARDHOLDERS have to provide the Personal Data requested for registration and be properly identified as a Service receiver. The Registration shall consist only of data needed for ADIQ to provide the Services.

2.1. To prevent frauds and ensure authenticity of Personal Data provided, other pieces of information may be requested, as well as the submission of pictures or the copy of documents that allow for the confirmation of data provided by CARDHOLDERS.

2.2. ADIQ may also request CARDHOLDERS financial data to provide Services and/or during Service provision, which may include, as applicable: (i) Bank Account identification data and ownership confirmation; (ii) information on the Payment Transaction, including origin of resources and reason for the transaction.

2.3. Additionally, ADIQ may query CARDHOLDER information available in public or private data bases, including credit rating bureaus (financial condition), which is hereby authorized by the CARDHOLDER upon hiring ADIQ Services.

3. In case the CARDHOLDER is indicated by an ADIQ business partner, their Personal Data can be directly shared by the partner, for the purposes of making the Services promptly available by ADIQ. Sharing of Personal Data will occur upon the CARDHOLDER previous and express consent, pursuant to the Applicable Law, obtained by the corresponding partner with the CARDHOLDER, according to the law.

4. Upon Personal Data Processing, according to the Applicable Law, the following shall be observed: strict principles of purpose, adequacy, need, free access, data quality, transparency, security, prevention, non-discrimination, responsibility and accountability.

5. Before the Payment Transaction requested by the CARDHOLDER is completed in the Payment System, ADIQ may request additional documents and information that may be deemed necessary to identify and prevent fraud situations, including location; and that may be shared with other CARDHOLDERS, Service Providers, regulatory agencies and competent authorities.

5.1. Processing of the CARDHOLDER Personal Data may occur for purposes beyond the Service Provision scope; however, it shall occur solely based on the CARDHOLDER or ADIQ legitimate interest, in full compliance with the applicable law, or, else, upon express consent from the CARDHOLDER, if applicable.

6. ADIQ Services may use the CARDHOLDER Device Data, Technical Use Data and Geographical Location, which is hereby authorized by the CARDHOLDER, where there are no other legal grounds applicable, should the CARDHOLDER hire ADIQ Services.

6.1. Additionally, ADIQ Services may use “Cookies” (files stored in your PC to get navigation data within the Website) to confirm your identity and check your navigation behavior. In case CARDHOLDERS do not consent to that type of use, they can disable that function in the options available in the software program used to browse the Internet, to refuse receiving Cookies and remove them anytime. The CARDHOLDER shall verify the options and tools available in the software program used.

3. Use of Personal Data

1. ADIQ shall process CARDHOLDERS Personal Data to provide SERVICES in, including, but not limited to, the following situations:

(a) Register and authenticate the CARDHOLDER access to the Services.

(b) Communicate with the CARDHOLDER during Service provision.

(c) Submit or request payments, according to the Payment Transactions made by the CARDHOLDER during the Services term.

(d) Check the CARDHOLDER credit rate and financial reputation.

(e) Keep the CARDHOLDER Personal Data updated.

(f) Monitor and analyze the CARDHOLDER behavior regarding the Service use.

(g) Check the CARDHOLDER identity in order to manage risks and protect the Services against frauds.

(h) Rate the CARDHOLDER and monitor their behavior when using Services, aiming at preventing torts, including in cases of politically exposed people.

(i) Connect the CARDHOLDER with the Service Providers system needed to deliver ADIQ Services.

(j) Organize and promote marketing campaigns, and enhance Services and/or experiences in the use of the Services.

(k) Offer customized services provided by third parties, including the use of Cookies.

(l) Promote the offering of specific products or services, as long as the CARDHOLDER consents to it, by publishing ads, research results and other customized contents.

(m) Meet the requirements established in the Agreement, in the Applicable Law and/or regulations set by regulators.

2. ADIQ shall collect, store and share the CARDHOLDER Personal Data whenever there is legitimate interest from ADIQ and/or from the CARDHOLDER, according to applicable legal procedures.

3. In case ADIQ shares the CARDHOLDER Personal Data, it shall do so using a secure network, attaining strictly to the information necessary to identify the CARDHOLDER and the Payment Transaction data to provide the Services.

4. The CARDHOLDER Personal Data may also be shared by ADIQ with third parties hired to provide computing services, data transfer and cloud hosting, credit protection services, fraud analysis tools, and analysis tools to prevent money laundering; provided these third parties apply privacy and security levels comparable to the ones applied by ADIQ, and are legally bound not to access the content or share Personal Data, except upon express request by ADIQ or to fulfill a legal obligation.

4.1. Personal Data is collected in Brazil and can be transferred to another country, where the business in charge of hosting is headquartered and/or keeps its servers. In this case, ADIQ shall make sure the foreign country offers the Personal Data protection level required in this Policy, pursuant to the Applicable Law.

4.2. The CARDHOLDER Personal Data and Payment Transaction data can be used by ADIQ to elaborate researches and statistics aimed at analyzing Service efficiency, among others, provided that the information is converted into Anonymized Data, in order to preserve the CARDHOLDER individuality and identification.

4. Sharing Personal Data with Third Parties

1. Occasionally, in order to deliver services to the CARDHOLDER, ADIQ may share their Personal Data with service providers, according to the Service to be used, always requesting consent or based on other legal grounds applicable to processing.

1.1. Some processing occurs not only during the Service provision. In those cases, the CARDHOLDER data will not be stored by ADIQ, but can be used to manage risk according to PCI (Payment Card Industry) rules, which aim at establishing minimum standards to protect Personal Data, among others.

5. Communication

1. ADIQ may use different communication methods to contact CARDHOLDERS and notify about Services and/or product offers and/or new Services, namely, email, WhatsApp, Platform, among others; all communication shall observe the privacy rules established in this Policy.

2. CARDHOLDERS may choose not to receive newsletters, promotional and marketing materials, upon express request to ADIQ using the business official channels.

3. ADIQ may use third-party services to communicate with Customers on its behalf. However, in case CARDHOLDERS receive communications they believe had not been sent by ADIQ, they should refrain from taking any action and immediately contact ADIQ using the official channels to check whether the information is reliable.

6. Storage

1. Personal Data collected by ADIQ is stored in secure servers, encrypted, making use of information security measures that are continuously updated. Personal Data shall be kept confidential, and all reasonable actions shall be taken to prevent loss, theft, improper use, change and non-authorized access.

2. Personal Data shall be stored while CARDHOLDERS use ADIQ Services for the time needed to meet the goals related to the Services and/or in order to meet any legal, regulatory, contractual and accountability obligations, or request by competent authorities.

2.1. Personal Data shall be stored for at least 05 (five) years, from the date the Agreement is terminated, or another term that may be determined by the Applicable Law.

3. ADIQ employs advanced security standards in order to ensure protection of Personal Data by adopting information security practices, such as CARDHOLDER authentication, strict access control, encryption of Personal Data and other Services when applicable, prevention and detection of intrusion and unauthorized access, prevention of information leakage, periodic testing and scanning to detect vulnerabilities, protection against malicious software programs, traceability mechanisms, access controls and computer network segmentation, and backup of Personal Data, among others.

3.1. ADIQ responsibilities to ensure CARDHOLDERS proper Personal Data Processing do not exempt CARDHOLDERS from properly saving and storing their own data.

3.2. ADIQ takes no responsibility for Personal Data CARDHOLDERS share with third parties; CARDHOLDERS must take the necessary security measures to protect their own Personal Data.

3.3. CARDHOLDERS shall not use non-authorized applications to access Services provided by ADIQ; in the event non-authorized applications are used, any Personal Data processed by third-party applications or accessed through third-party applications shall be the sole and exclusive responsibility of CARDHOLDERS and the third party.

4. To the full extent permitted by the Applicable Law, ADIQ holds no responsibility for incidents in the Service environment that might compromise ADIQ databases and CARDHOLDERS Personal Data, neither holds responsibility for improper use of Personal Data obtained through fraud methods.

5. In case of suspicion or confirmation of any incident in the Service scope, or loss of CARDHOLDERS Personal Data, ADIQ shall make all reasonable efforts and shall promptly act to eliminate or reduce risks of damage to CARDHOLDERS, and shall notify potentially affected CARDHOLDERS and competent authorities about the fact, the risks involved and the necessary measures to avoid those damages.

6. Whenever necessary, ADIQ may use and disseminate CARDHOLDERS Personal Data in accordance with this Policy and the applicable law.

7. CARDHOLDERS Rights

1. CARDHOLDERS are entitled to the following rights over their own Personal Data, at any time, observing the limits of the Applicable Law (“Rights”):

(a) Right to confirm the existence of Processing activities

(b) Right to access, change, remove or cancel their own Personal Data

(c) Right to object, restrict or oppose to their own Personal Data Processing.

(d) Right to review automated decisions based on Personal Data Processing.

(e) Right to transfer their own Personal Data.

(f) Right not to consent, or to remove consent, and to be notified about the associated consequences.

(g) Right to anonymize their own Personal Data.

2. CARDHOLDERS can, at any time, exercise their Rights as established in this Policy or in the Applicable Law, upon express request to ADIQ, using the official customer service channels offered by ADIQ.

2.1. CARDHOLDERS requests shall be made in written and a proof of identity shall be attached. ADIQ may contact CARDHOLDERS to confirm their identity before delivering what they requested. ADIQ may not deliver what was requested, provided ADIQ acts according to the law.

2.2. Confirmation of the existence of Personal Data Processing shall be provided, in a simplified format, no longer than 15 (fifteen) days after the request. For all other requests, ADIQ may take up to 30 (thirty) days to reply, and that time frame may be extended, according to the nature and the complexity of the request.

8. Changes in the Privacy Policy

1. ADIQ shall regularly revise this Policy to adjust it to Service provision, deleting, modifying and/or adding new provisions and conditions.

2. Changes shall be notified to CARDHOLDERS and the Policy updated version shall be announced.

3. In case CARDHOLDERS do not agree with the changes made, they may request to terminate the Service Agreement signed with ADIQ, according to the provisions established in the Agreement.

3.1. By using the Services, CARDHOLDERS agree and accept the current Policy version, including the most recent changes, which shall be completely applicable.

9. Clarifying Questions

1. Any questions concerning this Policy can be submitted to the person in charge of ADIQ data protection, through email: dpo@adiq.com.br, or at the Website: www.adiq.com.br.