Last updated: June 11, 2025

1. Who are we?

Lumx S.A. ("Lumx"), a private legal entity, registered with the CNPJ/MF under No. 42.887.120/0001-00, headquartered in the City and State of Rio de Janeiro, at Rua Voluntários da Pátria, nº 89, sala 804, Botafogo, CEP 22.270-000, is a startup specialized in providing technological infrastructure for payments integrated with stablecoins ("Platform"), through Application Programming Interfaces ("APIs").

2. Scope and our role

Lumx determines the purpose and methods of processing your personal data as described in this Notice, acting as the Controller of such data. Committed to privacy and security, Lumx guarantees the lawful and transparent processing of personal data. This Notice aims to describe, in a clear and accessible way, how personal data is used, shared and stored, in accordance with applicable Brazilian legislation, especially Law No. 13,709/2018.

3. Definitions

The following are some important concepts to easily interpret the terms of this Notice:

a) "Data Subject" or "End User": individual to whom the personal data that is the object of processing refers, which, for the purposes of this Notice, may be the person who accesses the website, candidates for vacancies and partnerships, partners or end users of the services offered by customers who use Lumx's solutions;

b) "LGPD": means "General Law for the Protection of Personal Data" set forth in Brazilian Federal Law No. 13,709/2018;

c) "Personal Data": any information related to the natural person that identifies the individual, or that used in combination with other information processed, identifies an individual. Further, any information through which the identification or contact information of a natural person is possible;

d) "Sensitive Personal Data": personal data on racial or ethnic origin, religious conviction, political opinion, membership of a union or organization of a religious, philosophical or political nature, data related to health or sex life, genetic or biometric data, when linked to a natural person;

e) "Anonymised Data": data relating to the Data Subject who cannot be identified, considering the use of reasonable and available technical means at the time of processing;

f) "Database": a structured set of personal data, established in one or more locations, in electronic or physical support;

g) "Processing of Personal Data": the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction of data of individuals is considered to be the processing of personal data;

h) "Anonymization": use of reasonable technical means available at the time of processing, through which a piece of data loses the possibility of direct or indirect association with an individual;

i) "Controller": natural or legal person, under public or private law, who is responsible for decisions regarding the processing of personal data;

j) "Operator": natural or legal person, under public or private law, who processes personal data on behalf of the controller;

k) "Purpose": what Lumx aims at from the processing of personal data;

l) "Necessity": reason why the processing of personal data is justified in order to achieve the intended purpose. The processing of personal data, however, must be limited to the minimum necessary to achieve the desired purpose, that is, it must be pertinent, proportional, and not excessive;

m) "Consent": free, informed and unequivocal authorization (without leaving any doubts) by which the data subject agrees to the processing of their personal data for a previously stipulated purpose;

n) "Elimination": exclusion of data or a set of data stored in a database, regardless of the procedure employed;

o) "Data sharing": communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities permitted by these public entities, or between private entities;

p) “IP address": an IP address is a number assigned to the computer or network when accessed from the Internet. It is usually associated with the Internet entry location, such as Internet service provider;

q) "Aggregated Format": anonymized data, aggregated information, or data that does not identify any specific individual;

r) "Cookies": these are small text files stored on your device that allow us to recognize your preferences and, for example, tailor the website to your browsing behavior and specific needs;

s) "Logs": are records of access to Internet applications that gather information regarding the date and time of use of the application considering a given IP address; and

t) "Client": legal entity that contracts or uses the solutions and services offered by Lumx, and may, for this purpose, share personal data of individuals linked to its operation (such as its legal representatives, partners, employees or end users), observing the purposes set forth in this Notice.

4. To whom does this Privacy Notice apply?

This Privacy Notice is intended for Data Subjects who interact with the website, End Users of a service offered by Lumx's customers, candidates for vacancies and partnerships, as well as those who somehow have their personal data processed by Lumx.

This Notice does not apply to personal information that is anonymized or in aggregated form.

5. Source of personal data

The Processing of Personal Data is carried out in accordance with the guidelines of the Brazilian General Data Protection Law in force and in line with the ethical principles and best practices required by the market.

Lumx may collect personal data through the following sources:

5.1. Upon supply by the Data Subject himself

When accessing the website or interacting with Lumx on its available channels or social networks, the Data Subject may have their Personal Data collected as outlined below:

5.1.1. Upon provision by the Data Subject himself through the "Schedule a demo" field

1. Contact data: full name, corporate email, name of the company in which you work and telephone number.

5.1.2. Upon provision by the Data Subject himself through contact via Linkedin

1. Contact details: full name and email.

5.1.3. Upon provision by the Data Subject himself through application for vacancies or opportunities for commercial partnerships offered by Lumx

Lumx, through its communication channels and social networks, may disclose vacancies and/or partnership opportunities, in this way, the Data Subject who is interested may share personal data such as:

1. Contact data: name, email and telephone number;

2. Academic data of academic history or professional data of employment history and other personal data made available in the resume.

5.1.4. Upon provision by the Data Subject himself through registration in events and content made available by Lumx

Lumx makes events or content available to the public, where the Data Subject registers to receive the event link or the desired document.

1. Contact data: name, corporate email, telephone.

5.3. By providing third parties to provide the services offered by Lumx

5.2.1. Personal Data of the legal representatives and partners of Lumx Clients

In order to assess eligibility to contract Lumx's services, Personal Data may be collected from individuals who maintain a direct link with potential corporate customers, such as legal representatives, partners or other relevant figures for compliance verification purposes. This collection is necessary for the conduct of background check procedures, including Know Your Customer ("KYC") practices.

1. Identification data: full name, email, telephone number, full address, date of birth, CPF or equivalent identification document (such as RG, CNH or passport), company in which you work.

The Processing of Personal Data in these cases has the exclusive purpose of allowing Lumx to analyze whether the potential Client, through the individuals linked to it, is able to hire its services, in accordance with its internal compliance policies, regulatory criteria and good integrity and security practices.

5.2.2. Personal Data of End Users

Depending on the nature of the services contracted, Lumx may process Personal Data of End Users indicated by its Clients, as described below:

1. Identification data: full name, email, telephone number, full address, date of birth, CPF or equivalent identification number (such as ID, CNH or passport).

2. Financial data: Depending on the nature of the operation carried out (such as inflow or outflow), the Data Subject's wallet address and PIX key may also be collected.

The processing of Personal Data in these cases serves exclusively to enable and perform the services contracted with the Client. It is the Client's responsibility to ensure that all necessary authorizations for sharing such data with Lumx are in place, when applicable.

Personal Data may also be used for purposes of fraud prevention and detection, verification of compliance with the Terms of Use, applicable policies and notices, as well as to prevent illegal or harmful activities.

5.3 Automatically, through Cookies and similar technologies.

Lumx may collect and store information whenever the Data Subject interacts with the website through Cookies and/or similar technologies.

5.3.1. What is a Cookie?

"Cookies" are small files installed on the Data Subject's device that allow the collection of certain information, including personal data, allowing us, among other functions, to recognize your preferences to, for example, adapt the website to your navigation and your specific needs.

There are different types of Cookies. On our website, Lumx may use the following Cookies:

1. Necessary: these are essential Cookies for the website to function properly and for the User/Client/End Beneficiary to be able to browse the website and use the applications. They are needed, for example, to load balance the website's server, verify its functionality, or to access secure areas of the website via a login. These Cookies do not identify the User and without them the website may not function properly.

2. Functional Cookies: store information about your preferences, such as your language and your region, allowing a better browsing experience on the website.

3. Performance: They analyze and enable the collection of data and information about how Data Subjects use the website, which pages they visit most often, the occurrence of errors or information about the performance of the website or application itself.

5.3.2 Why are Cookies used?

The website uses cookies to provide the Data Subject with a better and more efficient browsing experience.

Cookies also store information about browser activities, including the IP address, access logs to internet applications, and the pages visited. These activity logs will be used solely to comply with legal or regulatory obligations and will be retained for a period of six months.

5.3.3 Information retention period

1. Permanent Cookies: these are cookies that are stored at the level of the internet browser and on the access devices for a period defined by the controller.

2. Session Cookies: These are temporary. They remain in your browser and access devices while the User/Client/Final Beneficiary is logged in. They can be used to simplify some User actions and link them to others during a browser session. The session will start when a new browser screen is opened and end when that screen is closed.

5.3.4. How to remove or block Cookies?

The Owner has the option to accept or refuse the use of Cookies on their device, using the settings of their preferred browser. However, if you do not accept some Cookies, certain services and features of our website may not function optimally.

You will find more explanations on how to proceed by clicking on the links below. When accessing the respective websites, the User will be subject to the Privacy Notices of third parties and should make sure to read the Privacy Notice specific to each website visited.

How to remove cookies in Internet Explorer (Windows)
How to remove cookies in Microsoft Edge
How to remove cookies in Firefox
How to remove cookies in Google Chrome
How to remove Safari (MAC)

6. Purpose of processing and legal hypothesis adopted

The purposes and legal grounds adopted by Lumx vary according to the form and reason why the Data Subject relates to the company. We list below some situations in which Lumx may process the Personal Data: