Privacy Policy
Last updated: June 11, 2024
Who are we?
Lumx S.A. ("Lumx"), a private legal entity, registered with the CNPJ/MF under No. 42.887.120/0001-00, headquartered in the City and State of Rio de Janeiro, at Rua Voluntários da Pátria, nº 89, sala 804, Botafogo, CEP 22.270-000, is a startup specialized in providing technological infrastructure for payments integrated with stablecoins ("Platform"), through Application Programming Interfaces ("APIs").
Scope and our role
Lumx determines the purpose and methods of processing your personal data as described in this Notice, acting as the Controller of such data. Committed to privacy and security, Lumx guarantees the lawful and transparent processing of personal data. This Notice aims to describe, in a clear and accessible way, how personal data is used, shared and stored, in accordance with applicable Brazilian legislation, especially Law No. 13,709/2018.
Definitions
The following are some important concepts to easily interpret the terms of this Notice:
a) "Data Subject" or "End User": individual to whom the personal data that is the object of processing refers, which, for the purposes of this Notice, may be the person who accesses the website, candidates for vacancies and partnerships, partners or end users of the services offered by customers who use Lumx's solutions;
b) "LGPD": means "General Law for the Protection of Personal Data" set forth in Brazilian Federal Law No. 13,709/2018;
c) "Personal Data": any information related to the natural person that identifies the individual, or that used in combination with other information processed, identifies an individual. Further, any information through which the identification or contact information of a natural person is possible;
d) "Sensitive Personal Data": personal data on racial or ethnic origin, religious conviction, political opinion, membership of a union or organization of a religious, philosophical or political nature, data related to health or sex life, genetic or biometric data, when linked to a natural person;
e) "Anonymised Data": data relating to the Data Subject who cannot be identified, considering the use of reasonable and available technical means at the time of processing;
f) "Database": a structured set of personal data, established in one or more locations, in electronic or physical support;
g) "Processing of Personal Data": the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction of data of individuals is considered to be the processing of personal data;
h) "Anonymization": use of reasonable technical means available at the time of processing, through which a piece of data loses the possibility of direct or indirect association with an individual;
i) "Controller": natural or legal person, under public or private law, who is responsible for decisions regarding the processing of personal data;
j) "Operator": natural or legal person, under public or private law, who processes personal data on behalf of the controller;
k) "Purpose": what Lumx aims at from the processing of personal data;
l) "Necessity": reason why the processing of personal data is justified in order to achieve the intended purpose. The processing of personal data, however, must be limited to the minimum necessary to achieve the desired purpose, that is, it must be pertinent, proportional, and not excessive;
m) "Consent": free, informed and unequivocal authorization (without leaving any doubts) by which the data subject agrees to the processing of their personal data for a previously stipulated purpose;
n) "Elimination": exclusion of data or a set of data stored in a database, regardless of the procedure employed;
o) "Data sharing": communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities permitted by these public entities, or between private entities;
p) “IP address": an IP address is a number assigned to the computer or network when accessed from the Internet. It is usually associated with the Internet entry location, such as Internet service provider;
q) "Aggregated Format": anonymized data, aggregated information, or data that does not identify any specific individual;
r) "Cookies": these are small text files stored on your device that allow us to recognize your preferences and, for example, tailor the website to your browsing behavior and specific needs;
s) "Logs": are records of access to Internet applications that gather information regarding the date and time of use of the application considering a given IP address; and
t) "Client": legal entity that contracts or uses the solutions and services offered by Lumx, and may, for this purpose, share personal data of individuals linked to its operation (such as its legal representatives, partners, employees or end users), observing the purposes set forth in this Notice.
To whom does this Privacy Notice apply?
This Privacy Notice is intended for Data Subjects who interact with the website, End Users of a service offered by Lumx's customers, candidates for vacancies and partnerships, as well as those who somehow have their personal data processed by Lumx.
This Notice does not apply to personal information that is anonymized or in aggregated form.
Source of personal data
The Processing of Personal Data is carried out in accordance with the guidelines of the Brazilian General Data Protection Law in force and in line with the ethical principles and best practices required by the market.
Lumx may collect personal data through the following sources:
5.1. Upon supply by the Data Subject himself
When accessing the website or interacting with Lumx on its available channels or social networks, the Data Subject may have their Personal Data collected as outlined below:
5.1.1. Upon provision by the Data Subject himself through the "Schedule a demo" field
Contact data: full name, corporate email, name of the company in which you work and telephone number.
5.1.2. Upon provision by the Data Subject himself through contact via Linkedin
Contact details: full name and email.
5.1.3. Upon provision by the Data Subject himself through application for vacancies or opportunities for commercial partnerships offered by Lumx
Lumx, through its communication channels and social networks, may disclose vacancies and/or partnership opportunities, in this way, the Data Subject who is interested may share personal data such as:
Contact data: name, email and telephone number;
Academic data of academic history or professional data of employment history and other personal data made available in the resume.
5.1.4. Upon provision by the Data Subject himself through registration in events and content made available by Lumx
Lumx makes events or content available to the public, where the Data Subject registers to receive the event link or the desired document.
Contact data: name, corporate email, telephone.
5.3. By providing third parties to provide the services offered by Lumx
5.2.1. Personal Data of the legal representatives and partners of Lumx Clients
In order to assess eligibility to contract Lumx's services, Personal Data may be collected from individuals who maintain a direct link with potential corporate customers, such as legal representatives, partners or other relevant figures for compliance verification purposes. This collection is necessary for the conduct of background check procedures, including Know Your Customer ("KYC") practices.
Identification data: full name, email, telephone number, full address, date of birth, CPF or equivalent identification document (such as RG, CNH or passport), company in which you work.
The Processing of Personal Data in these cases has the exclusive purpose of allowing Lumx to analyze whether the potential Client, through the individuals linked to it, is able to hire its services, in accordance with its internal compliance policies, regulatory criteria and good integrity and security practices.
5.2.2. Personal Data of End Users
Depending on the nature of the services contracted, Lumx may process Personal Data of End Users indicated by its Clients, as described below:
Identification data: full name, email, telephone number, full address, date of birth, CPF or equivalent identification number (such as ID, CNH or passport).
Financial data: Depending on the nature of the operation carried out (such as inflow or outflow), the Data Subject's wallet address and PIX key may also be collected.
The processing of Personal Data in these cases serves exclusively to enable and perform the services contracted with the Client. It is the Client's responsibility to ensure that all necessary authorizations for sharing such data with Lumx are in place, when applicable.
Personal Data may also be used for purposes of fraud prevention and detection, verification of compliance with the Terms of Use, applicable policies and notices, as well as to prevent illegal or harmful activities.
5.3 Automatically, through Cookies and similar technologies.
Lumx may collect and store information whenever the Data Subject interacts with the website through Cookies and/or similar technologies.
5.3.1. What is a Cookie?
"Cookies" are small files installed on the Data Subject's device that allow the collection of certain information, including personal data, allowing us, among other functions, to recognize your preferences to, for example, adapt the website to your navigation and your specific needs.
There are different types of Cookies. On our website, Lumx may use the following Cookies:
Necessary: these are essential Cookies for the website to function properly and for the User/Client/End Beneficiary to be able to browse the website and use the applications. They are needed, for example, to load balance the website's server, verify its functionality, or to access secure areas of the website via a login. These Cookies do not identify the User and without them the website may not function properly.
Functional Cookies: store information about your preferences, such as your language and your region, allowing a better browsing experience on the website.
Performance: They analyze and enable the collection of data and information about how Data Subjects use the website, which pages they visit most often, the occurrence of errors or information about the performance of the website or application itself.
5.3.2 Why are Cookies used?
The website uses cookies to provide the Data Subject with a better and more efficient browsing experience.
Cookies also store information about browser activities, including the IP address, access logs to internet applications, and the pages visited. These activity logs will be used solely to comply with legal or regulatory obligations and will be retained for a period of six months.
5.3.3 Information retention period
Permanent Cookies: these are cookies that are stored at the level of the internet browser and on the access devices for a period defined by the controller.
Session Cookies: These are temporary. They remain in your browser and access devices while the User/Client/Final Beneficiary is logged in. They can be used to simplify some User actions and link them to others during a browser session. The session will start when a new browser screen is opened and end when that screen is closed.
5.3.4. How to remove or block Cookies?
The Owner has the option to accept or refuse the use of Cookies on their device, using the settings of their preferred browser. However, if you do not accept some Cookies, certain services and features of our website may not function optimally.
You will find more explanations on how to proceed by clicking on the links below. When accessing the respective websites, the User will be subject to the Privacy Notices of third parties and should make sure to read the Privacy Notice specific to each website visited.
How to remove cookies in Internet Explorer (Windows)
How to remove cookies in Microsoft Edge
How to remove cookies in Firefox
How to remove cookies in Google Chrome
How to remove Safari (MAC)
Purpose of processing and legal hypothesis adopted
The purposes and legal grounds adopted by Lumx vary according to the form and reason why the Data Subject relates to the company. We list below some situations in which Lumx may process the Personal Data:
Personal Data collected
Purpose
Legal hypothesis
The Processing of Personal Data undertaken by Lumx will always be based on a certain legal basis provided for in articles 7 and 11 of the LGPD, even if it may not have been listed in the table above.
About personal data of children and adolescents
Lumx does not knowingly request, collect, store, process, or share personal data of children and adolescents. If we identify the occurrence of any type of processing of said data, unintentionally, we will remove the personal data of that child or adolescent from our records immediately.
Sharing personal data with third parties
In order to fulfill the purposes described in this Notice, Lumx may share your personal data with partner companies, in order to offer benefits and new opportunities and/or send communications and advertising, improving the quality of service provided, which will be done in a justified manner, always maintaining the highest security standards, seeking to preserve your privacy as much as possible. Below are described some situations in which there is the possibility of sharing personal data and their respective purposes:
If, upon prior notice, the Data Subject agrees to share them;
Service providers and technology providers. Lumx operates in partnership with other organizations to enable its activities, such as providers of data hosting services, asset security, authentication and validation of registrations, detection of fraud and irregularities in transactions and payments, among others. In order to minimize risks for Data Subjects, suppliers are regularly evaluated and commit to contractual obligations for information security and personal data protection;
Public Authorities. For compliance with applicable legislation or upon request from public or government authorities;
In the event of a sale, in whole or in part, of the business or its assets, or as part of any business reorganization or restructuring, merger, spin-off or incorporation, so that we may share Users' information with third parties who are part of their respective businesses, taking the necessary steps to ensure that privacy rights continue to be protected, pursuant to this Notice;
Third-Party Links. The platform may include links to third-party websites, plug-ins, or applications. Clicking on these links or enabling such connections may allow third parties to collect or share personal data of the Data Subjects. Lumx is not responsible for the Privacy Notice of these third-party websites;
Customers or Partners: To send newsletters and share benefits or new opportunities, provided the Data Subject has not opted out. Personal data may be shared with partners or providers of web analytics services, to enable the Data Subject to access the website without problems and so that Lumx can understand how to improve its services and the experience when accessing the website; and
Third-party crypto wallets. To use Lumx's services, the Data Subject may use a third-party crypto wallet that allows transactions to be carried out on public blockchains. Your interactions with any wallet provider will be governed by the applicable Terms and that third party's Notice.
Retention and disposal of personal data
The personal data processed by Lumx will be retained for the duration of the contract, in accordance with Article 7, item V, of the LGPD. Upon the termination of this period, personal data, including third parties, will be stored in compliance with the statute of limitations under Brazilian law, unless the processing is based on the Data Subject’s consent, a legitimate interest that justifies continued storage, or if retention is otherwise authorized by applicable legislation.
Once the statute of limitations has expired, the personal data processed by Lumx will be deleted, except in cases where processing is necessary under the circumstances set forth in Article 16 of the LGPD, as outlined below:
Compliance with a legal or regulatory obligation by the Controller;
Study by a research body, ensuring, whenever possible, the anonymization of personal data;
Transfer to a third party, provided that the requirements for the processing of personal data set forth in LGPD are respected; or
Exclusive use of the controller, with access by third parties prohibited, and provided that personal data is anonymized.
In certain cases, Lumx has legal obligations that determine the storage of personal data for specific periods, such as IP address data, time and date of each access to our Platform, which must be retained for at least 6 months, in compliance with article 15 of Law No. 12,965, of April 23, 2014 ("Brazilian Civil Rights Framework for the Internet").
International Transfer of Personal Data
Lumx may transfer personal data to other countries in the event of providing services or functionalities that use technological infrastructure established outside Brazil, such as hosting servers and cloud services or when we need to involve third parties located abroad, under the terms of article 33 of the Brazilian General Data Protection Law.
Currently, the databases, websites and servers used by Lumx are hosted on Google Cloud infrastructure, specifically in the us-east1 region (South Carolina, United States). This choice aims to ensure high availability, performance, and security for our systems.
If there is a change in the hosting infrastructure — such as changing cloud provider, server, or storage country — data subjects will be duly notified by website or email and any affected contracts will be adjusted as necessary.
Lumx ensures that, in cases of international transfer, personal data will only be transferred to countries or companies that provide a level of personal data protection equivalent to that required by current Brazilian legislation, especially LGPD.
Data security
Lumx's responsibility is to take care of personal data and use it for the purposes described in this Notice. To ensure the privacy and protection of the personal data of the Data Subjects, Lumx adopts appropriate administrative measures and technological resources to ensure the security of all personal data processed. Among the security measures implemented are system access controls, backup policy, installation of barriers against improper access to databases (including firewalls), multi-factor authentication, among other information security controls.
In order to provide greater transparency, we inform you that the data stored during operations is all anonymized.
Lumx strives to protect personal data, but unfortunately, for reasons of force majeure, it cannot guarantee complete security. Unauthorized third-party entries and uses of End User information, hardware or software failures that are not under the company's control, and other external factors may compromise the security of personal data.
The Clients and End User are responsible for the security of their account and crypto wallet. Therefore, the performance and attention of the End User is essential for maintaining a safe environment for all. If you identify or become aware of any factor that compromises the security of your data in your relationship with Lumx, please contact us immediately.
Rights of data subjects
Data subjects have the right to request information from Lumx regarding the processing of their personal data through the requests below:
Right to confirm the existence of processing: Data Subjects may contact us in order to confirm whether any of their personal data is processed by Lumx;
Right of access: it is the right of Data Subjects to request access to existing personal data processed by Lumx;
Right to rectification of Personal Data: Data Subjects may request Lumx, at any time, to change their personal data, if it is incorrect, inaccurate or outdated. Examples are: name update, change of telephone number and address. It is important that personal data is accurate and current, and it is up to the Data Subject to keep Lumx informed in cases where their personal data needs to be corrected;
Anonymization, blocking, or deletion of unnecessary, excessive, or processed data in violation of the LGPD: Data Subjects may request the blocking and deletion of their personal data. Such request may only be denied by Lumx in cases where the request cannot be met or in cases where its storage is mandatory or allowed, in accordance with the hypotheses listed in article 7 of the LGPD and other applicable provisions. As anonymization prevents the identification of the individual, anonymized data is no longer considered personal data and, therefore, is outside the scope of application of the LGPD;
Portability: the right to request a copy of your personal data in electronic format and/or to transmit such personal data for use in the third-party service
Right to delete Personal Data processed with the consent of Data Subjects: personal data will be deleted once the purpose for its collection and processing has been fulfilled, except in certain cases:
compliance with a legal or regulatory obligation by Lumx;
transfer to a third party, provided that the requirements for processing Personal Data set forth in the LGPD are respected; or
exclusive use of Lumx, its access by third parties is prohibited, and provided that the personal data is anonymized.
Information regarding the public and private entities with whom the controller has shared personal data: the Data Subject is entitled to request access to any personal data transmitted to these entities;
Information regarding the option to withhold consent and its consequences: Lumx is available to provide clear and transparent assistance concerning any doubts about the processing of Data Subjects’ personal data, including possible effects resulting from the refusal to provide consent;
Revocation of consent: Data Subjects have the right to revoke their consent for Personal Data processing at any time by submitting a written request to Lumx through a free procedure, provided that the processing is based on consent.
To ensure security, whenever a Data Subject submits a request to exercise their rights, Lumx may require additional information and/or documents to verify their identity and prevent fraud. This measure is intended to protect the security and privacy of all parties involved.
In certain cases, Lumx may have legitimate grounds to deny a request to exercise data subject rights. Such situations include, for example, instances where disclosing specific information could infringe on intellectual property rights or trade secrets of the company or third parties, as well as requests to delete data that must be retained due to legal or regulatory obligations. Additionally, retaining data may be necessary to enable the defense of the company or third parties in any type of dispute.
Furthermore, Lumx cannot modify or delete information stored on blockchains, as it neither holds custody nor control over these public networks. Data recorded on the blockchain may include transactions such as purchases, sales, and transfers linked to a blockchain address, crypto wallet, or other information managed via Lumx.
Some requests may not be fulfilled immediately or in full; however, Lumx is committed to addressing all requests in accordance with applicable laws and regulations.
If the Data Subject has any questions regarding these matters or how to exercise their rights, they may contact Lumx through the channels provided at the end of this Privacy Notice.
How to talk about personal data with Lumx?
If you believe that your Personal Data has been processed in a way that is incompatible with this Privacy Notice or your choices as a Data Subject, or if you have any questions, comments, or suggestions about this Notice or Lumx's data processing practices, please contact us through the channels below:
Email: dpo@lumx.io
Data Protection Officer (DPO): Débora Leal Soares de Castro
We are available to provide the necessary clarifications and ensure that your rights as a Data Subject are respected.
Modification of the Privacy Notice
Lumx may modify, at any time, this "Privacy Notice" to reflect any necessary changes, aiming at improving and corresponding to the services provided or to respond to legal, administrative or court order issues.
The updated versions of this Privacy Notice will be published on the website. Should Lumx make any changes to the way it processes personal information, Data Subjects will be notified either by email or through a notice on the website. In such cases, Data Subjects are responsible for reviewing these legal notices, and the changes will take effect from the date the updated Privacy Notice is published.
Your continued use of Lumx’s services after the effective date of any previously notified changes constitutes your acceptance of the updated Privacy Notice. We also recommend that you review this Privacy Notice periodically to stay informed about any modifications.