You may access the privacy notice of these processors by clicking on their names in the table above.

8.2. Sharing of Data with Partners (Controllers)
Lumx may share Personal Data with partners integrated into its payment infrastructure, to the extent necessary to enable the provision of contracted services, as set out on its website (https.lumx.io/legal/service-providers). Due to legal and regulatory obligations, especially those related to anti-money laundering, compliance verification, record-keeping, and other compliance duties, such partners will act as independent controllers of the shared data. The shared data may include registration information, documents, and information obtained through due diligence procedures (KYC/KYB), as well as other data required for compliance with legal, regulatory, or contractual obligations.

The Personal Data Processing carried out by each Controller may be reviewed in their respective privacy notices by clicking on the partner’s name in the relevant tab on the website. We are not responsible for Personal Data Processing carried out by third parties in this context.

9. Retention and Disposal of Personal Data
   Due to the activities carried out by Lumx in the context of providing services related to virtual assets, including technological infrastructure services for stablecoin-integrated payments, Lumx processes and retains Personal Data necessary to comply with legal and regulatory obligations, especially those related to anti-money laundering, terrorism financing, financing of the proliferation of weapons of mass destruction, fraud prevention, transaction security, and compliance with orders from competent authorities.
   
   In this context, Personal Data collected and processed for Know Your Customer (KYC/KYB) purposes, due diligence, identification, verification, validation, qualification, risk classification, identification of ultimate beneficial owners, legal representatives, partners, officers, attorneys-in-fact, counterparties, and other natural persons related to Lumx’s operations shall be stored for a minimum period of 10 (ten) years, counted from the first day of the year following the end of the relationship with the respective Partner, End User, or related third party, as applicable, pursuant to Art. 67, item I, of BCB Circular No. 3,978/2020, without prejudice to other rules applicable to virtual asset service providers, including BCB Resolution No. 520/2025.
   
   Likewise, Personal Data, records, logs, evidence, and other information related to transactions (KYT), transaction monitoring, analysis of the origin and destination of funds, wallet identification, blockchain addresses, transaction hashes, amounts, dates, times, counterparties, alerts, risk analyses, transaction dossiers, and other records used for the purposes of monitoring, selecting, analyzing, and reporting suspicious transactions or situations shall be stored for a minimum period of 10 (ten) years, counted from the first day of the year following the date of the respective transaction or operation, pursuant to Art. 67, items III and IV, of BCB Circular No. 3,978/2020, without prejudice to the specific regulations applicable to virtual asset service providers.
   
   The retention of such data is based on compliance with a legal or regulatory obligation, pursuant to Art. 7, II, of the LGPD. Where Sensitive Personal Data is processed, such as biometric data used for identity validation, liveness verification, fraud prevention, or Data Subject security, the processing will be carried out on the basis of applicable legal grounds set forth in Art. 11 of the LGPD, in particular to fulfill a legal or regulatory obligation and/or for fraud prevention and Data Subject security in identification and authentication processes.
   
   The above periods may be extended where the retention of Personal Data is necessary to comply with a legal or regulatory obligation, comply with orders from competent authorities, conduct audits, administrative, judicial, or arbitration proceedings, regularly exercise the rights of Lumx or third parties, or preserve evidence related to incidents, fraud, unlawful acts, or contractual breaches.
   
   In addition to data processed for regulatory purposes, Lumx may retain Personal Data related to contractual, commercial, administrative, and financial management, including data contained in contracts, proposals, service orders, communications, relationship records, billing documents, receipts, and other related documents, for the period necessary to fulfill the respective purposes and, following the termination of the contractual relationship, for the period required to comply with legal, regulatory, accounting, or tax obligations and/or for the regular exercise of the rights of Lumx or third parties. In such cases, retention will comply with applicable limitation periods, in particular those set forth in Arts. 205 and 206 of the Civil Code, generally occurring for up to 10 (ten) years from the termination of the contractual relationship or the last relevant event related to the respective contract, as applicable.
   Regarding access to the website and/or the Platform, Lumx has legal obligations requiring the storage of IP address data, time, and date of each access, which must be retained for at least 6 months, in compliance with Article 15 of Law No. 12,965, of April 23, 2014 (“Internet Civil Framework”).
   
   Personal Data related to recruitment and selection processes, where the candidate is not selected, will be deleted within 1 (one) year.
   
   Once the applicable retention periods have expired and there is no legal, regulatory, contractual, or legitimate basis for their maintenance, Personal Data will be erased or anonymized, as applicable and in accordance with the technical, operational, and legal criteria adopted by Lumx.
   
   

10. International Transfer of Personal Data
    Lumx ensures that international transfers of Personal Data are carried out in accordance with the LGPD, specifically through standard contractual clauses, pursuant to Art. 33, II, b of the LGPD and ANPD Resolution No. 19/2024.
    If there is any change to the hosting infrastructure, such as a change in cloud provider, server, or country of storage, Data Subjects will be duly notified via the website or email, and any affected contracts will be adjusted as necessary.
    Lumx ensures that, in cases of international transfer, it adopts valid international transfer mechanisms provided under the LGPD and ANPD regulations, including, as applicable, standard contractual clauses, adequacy decisions, or other instruments recognized by the competent authority, so as to guarantee an adequate level of protection for the transferred Personal Data.
    
    

11. Data Security
    Lumx’s responsibility is to care for personal data and use it for the purposes described in this Notice. To ensure the privacy and protection of Data Subjects’ personal data, Lumx adopts adequate administrative measures and technological resources to guarantee the security of all Personal Data processed. Security measures implemented include system access controls, backup policies, installation of barriers against unauthorized access to databases (including firewalls), multi-factor authentication (MFA), and other information security controls. Wherever possible and compatible with the purposes of the Processing, Lumx adopts data minimization, segregation, pseudonymization, or anonymization techniques.
    
    Lumx strives to protect the privacy of Data Subjects’ personal data, but unfortunately, due to force majeure, cannot guarantee absolute security. Unauthorized access and use by third parties of Data Subjects’ information, hardware or software failures beyond the company’s control, and other external factors may compromise the security of personal data.
    
    The Data Subject is responsible for the security of their account and crypto wallet. Therefore, the Data Subject’s vigilance and attention are essential to maintaining a secure environment for everyone. If the Data Subject identifies or becomes aware of any factor that compromises the security of their data in their relationship with Lumx, please contact Lumx's DPO immediately.
    
    In the event of a security incident that may pose a relevant risk or harm to Data Subjects, Lumx will take appropriate measures to contain and mitigate the effects, and will notify the National Data Protection Authority (ANPD) and the affected Data Subjects, pursuant to Art. 48 of the LGPD and ANPD Resolution No. 15/2024, within the timeframes and in the manner required by applicable regulations. The notification to affected Data Subjects will contain, at a minimum, a description of the nature of the data involved, information about the affected Data Subjects, the technical and security measures adopted to protect the data and mitigate the effects of the incident, as well as the DPO’s contact channels. Records and evidence related to the incident will be preserved for auditing purposes and to respond to any requests from the ANPD.
    
    

12. Data Subjects' Rights
    The User/Visitor has the right to exercise their rights as a Data Subject, as determined by the LGPD, through the email: dpo@lumx.io, and may request:
    
    a) Access to data: the right to obtain from the Controller, upon request, access to the Personal Data being processed.
    
    b) Anonymization, blocking, or erasure: the right to anonymization, blocking, or deletion of their Personal Data when unnecessary, excessive, or processed in non-compliance.
    
    c) Confirmation of processing: the right to obtain from the Controller, at any time upon request, confirmation of the Processing of their Personal Data.
    
    d) Correction: the right to obtain from the Controller, upon request, the correction of Personal Data that is incomplete, inaccurate, or outdated.
    
    e) Information about sharing: the right to be informed of the public or private entities with which the Controller has shared data.
    
    f) Objection: the right to object to the Processing carried out in cases of non-compliance with the LGPD.
    
    g) Petition to the ANPD or consumer protection body: the right to file a complaint with the ANPD or consumer protection bodies regarding the Controller’s processing of their Personal Data.
    
    h) Portability: the right to portability of their Personal Data to another service or product provider, in accordance with ANPD regulations, always subject to industrial and trade secrets.
    
    i) Review of automated decisions: the right to request review of decisions made solely on the basis of automated Processing that affect their interests as a data subject.
    
    j) Withdrawal of consent: the right to withdraw their Consent at any time through an express statement, by means of a free and simplified procedure.
    
    k) Information on refusal of consent: the right to information about the possibility of withholding Consent and about the consequences of doing so.
    
    Requests will be responded to during business hours, Monday through Friday. In accordance with Art. 19 of the LGPD, Lumx will observe the following timeframes: (i) confirmation of the existence of processing: will be provided immediately and in simplified form, or, through a clear and complete statement, within 15 (fifteen) days from the date of the request; (ii) access to personal data and other rights set out in Art. 18 of the LGPD: will be fulfilled within a reasonable period proportional to the complexity of the request, subject to a maximum of 15 (fifteen) days for cases where the response can be provided immediately, or a longer justified period when the request requires gathering, analysis, or consultation of systems and processors involved in the processing. In any case, Lumx will acknowledge receipt of the request and inform the Data Subject of the estimated timeframe for a full response. The response will be sent by email or letter.
    
    Lumx informs that the due diligence process conducted through Third-Party tools may involve automated analysis of the Data Subject’s documents and personal data, including document authenticity verification, liveness check, and searches against national and international restrictive lists. This process may produce decisions or recommendations that affect the Data Subject’s access to Lumx’s services, such as the approval or rejection of registration. Lumx guarantees, in all cases, the review of the tool’s decision by a qualified human professional as a standard practice in its operations.
    
    To ensure security, whenever a Data Subject submits a request to exercise their rights, Lumx may request additional information and/or documents to verify their identity and prevent fraud. This measure aims to protect the security and privacy of all parties.
    
    In some cases, Lumx may have legitimate reasons for not fulfilling a request to exercise rights. These situations include, for example, cases where the disclosure of specific information could violate intellectual property rights or trade secrets of the company or third parties, as well as requests for deletion of Personal Data that cannot be fulfilled due to legal or regulatory retention obligations. Furthermore, the retention of data may be necessary to enable the defense of the company or third parties in disputes of any kind.
    
    Lumx is also unable to edit or delete information stored on blockchains, as it does not have custody or control over these public networks. Information recorded on the blockchain may include purchases, sales, and transfers associated with a blockchain, a crypto wallet, or other data maintained via Lumx.
    
    Some requests may not be fully responded to immediately, but Lumx commits to fulfilling all requests in compliance with applicable legislation.
    
    If the Data Subject has questions about these matters or about how to exercise their rights, they may contact Lumx through the channels provided in this Privacy Notice.
    
    

13. Amendments to the Privacy Notice
    Lumx may modify this “Privacy Notice” at any time to reflect any necessary changes, aimed at improving and aligning with the services provided, or to address legal, administrative, or court order requirements.
    Updated versions will be published on the website. If Lumx makes changes to the way it uses personal information, Data Subjects will be notified by email. In such cases, the Data Subject is responsible for reading such legal notices regarding the changes, which will take effect from the date of publication of the updated Privacy Notice.
    Continued use of Lumx’s services after the effective date of any previously notified amendment constitutes acceptance of the Notice. We also recommend that the Data Subject periodically review this Privacy Notice to stay informed of any changes.