Política de privacidade
Scope of the policy and data controller
This Privacy Policy («Policy») describes how the entity operating the DeFlow platform («DeFlow», «we», «our»), a company registered in the Commonwealth of the Bahamas, processes the personal data of users and visitors («you», «data subject») in the context of our websites, applications and services («Platform»). It applies to all data collected through the Platform, whether during registration, use of fiat-to-digital-asset exchange services (deposits and withdrawals), use of payment links, customer support or any other interaction. The data controller for personal data is the entity operating DeFlow, registered in the Bahamas. The controller's contact channels are set out in the «Contact» section of this Policy. When we refer to «controller», we mean that entity, which decides the purposes and means of processing your data. The technical infrastructure and some of the service providers are located in the United States of America and other jurisdictions; these providers act as «processors» and are contractually obliged to process data only in accordance with our instructions and to ensure appropriate security measures. This Policy supplements the Platform's Terms of Use. In the event of conflict between the Policy and the Terms regarding personal data processing, the provisions that are more protective of the data subject shall prevail, to the extent permitted by applicable law.
Legal basis and purposes of processing
We process your personal data on the basis of legal grounds appropriate to your jurisdiction, which may include: contract performance (provision of the services you requested, account management, processing of deposits and withdrawals); legitimate interest (Platform security, fraud prevention, technical improvements, aggregate usage analysis); compliance with legal obligation (record retention, cooperation with authorities when required by law); and, where applicable, consent (marketing communications, non-essential cookies, where the law requires explicit consent). The main purposes of processing are: (i) to create and manage your account and access credentials; (ii) to provide fiat-to-digital-asset exchange services, deposits and withdrawals, and the other features of the Platform; (iii) to process transactions and maintain records for support and compliance; (iv) to ensure the security and integrity of the Platform (fraud, abuse and unauthorised use detection); (v) to provide customer support and respond to requests; (vi) to comply with legal and regulatory obligations and respond to legitimate requests from authorities; (vii) to improve the Platform, user experience and our services (including aggregate and anonymous analytics); (viii) to communicate material changes to the Terms or this Policy. When we use data for purposes incompatible with those described here, we will inform you and, where required by law, seek fresh consent.
Data we collect
We collect only the data necessary to operate the Platform. Unlike most services, we do not perform KYC: we do not ask for identity documents, selfies, proof of address or the account holder's full name. Account holder data: email address (required for registration and login) and, optionally, a username you choose. Security settings (2FA) are generated and stored in encrypted form. We do not collect your full name, identity document or biometric data. Security and device data: IP address (stored encrypted and/or hashed, not in plain text for new records), technical browser and device characteristics (type, language) and a device identifier (fingerprint) used solely for fraud prevention and account protection. Third-party data in transactions (payer and recipient): to enable and audit each PIX operation, we store, when provided by the payment provider: the name of the payer and the name of the recipient; the tax ID (CPF/CNPJ) always in masked form (e.g. `*.456.789-`), never in a form that allows reconstructing the document; and the destination PIX key for withdrawals. You may also save PIX keys of your choice (with the associated tax ID) to reuse in withdrawals. Transaction data: amounts, times, status, transaction identifiers and Liquid wallet addresses. Support: the content of messages you send to support and files you attach (images, receipts, documents). Cookies and similar technologies: only essential ones and those you authorise, as described in the dedicated section. We do not sell your personal data or use it for third-party advertising.
How we collect data
We collect data directly when you provide it (e.g. when creating an account, filling in forms, contacting support or setting preferences) and automatically when you use the Platform (access logs, cookies, technical data about your device and connection). Registration and account: you provide your email and set a password; you may optionally provide a username or full name. Two-factor authentication (2FA) data is generated and stored securely for login verification. Use of the Platform: each access, navigation and relevant action (e.g. creating an order, deposit, withdrawal) may generate technical and audit records. Your IP address and user-agent are captured in server requests for security and operational purposes. Cookies and local storage: we use cookies and similar technologies as described in the «Cookies and similar technologies» section. You can set your browser to refuse non-essential cookies, noting that this may affect certain features. Support: when you contact support, we collect the content of your message, your email and, where applicable, technical data you share (e.g. error logs) for diagnosis. We do not collect data from third-party sources for marketing profiling; any integration with third-party services (e.g. payment providers) is limited to what is strictly necessary for the operation of the service.
Use of data
We use personal data exclusively for the purposes described in this Policy and in the Terms of Use. Service provision: account and transaction data are used to create and maintain your account, authenticate access, process deposits and withdrawals and provide Platform features (non-custodial wallets, payment links, charges, bill (boleto) payments, affiliate programme where applicable). Security and integrity: usage data, IP address and logs are analysed to detect and prevent fraud, abuse, unauthorised access and breaches of the Terms. We may use automated tools and pattern analysis to identify suspicious behaviour; in serious cases, data may be retained and shared with authorities in accordance with the law. Legal compliance: when the law or a court order or competent authority so requires, we use and retain the data necessary to comply with those obligations and may share it with authorities. Improvements and analytics: we use aggregate and, where possible, anonymised data to analyse use of the Platform, improve performance, usability and our services. These analyses do not identify you individually for third-party marketing purposes. We do not sell your personal data. Any promotional communications (where permitted) will be based on preferences you may set and can be opted out of at any time.
Sharing with third parties
We do not sell your personal data. We share data only in the following situations: Payment provider (PIX): to process deposits and withdrawals, the necessary operation data is exchanged with the independent payment provider that executes PIX and settlement with the financial system. This includes, as the case may be, the paying account's tax ID (CPF/CNPJ, a requirement of the receiving system as an anti-fraud measure) and the transaction data. The provider is an independent controller for the data it processes in its own name. Service providers (processors): hosting and infrastructure (located in the United States), email delivery, security and support tools. They have access only to what is necessary and are contractually obliged to protect the data and not use it for other purposes. Liquid network: on-chain addresses and transactions are recorded on the Liquid Network by the nature of the technology (confidential transactions as to amount). Authorities and legal obligations: when the law, a court order or a competent authority so requires, we may disclose data to comply with the obligation or to defend rights and the security of the Platform and users. Corporate reorganisation: in a merger, acquisition or sale of assets, data may be transferred to the successor, subject to this Policy and applicable law. We do not share data with advertisers or ad networks for marketing targeting.
International data transfers
The Platform is operated by an entity registered in the Commonwealth of the Bahamas and uses hosting infrastructure and service providers located in the United States of America and, where applicable, other jurisdictions. This means that, by using the Platform, your personal data is transferred to and processed in countries other than yours, which may not provide a level of data protection equivalent to that of your jurisdiction. When we make international transfers, we adopt appropriate measures to ensure that data remains protected, to the extent required by applicable law. Such measures may include: standard contractual clauses approved by data protection authorities, adequacy decisions where they exist, or other recognised mechanisms (e.g. certifications or codes of conduct). Details of the applicable safeguards can be provided on request to the contact indicated in the «Contact» section. By using the Platform and providing personal data, you acknowledge and accept that such transfer and processing in the United States and other jurisdictions may occur. If your jurisdiction requires specific consent for international transfers, use of the Platform after due notice may be deemed acceptance, or we will seek explicit consent when the law so requires.
Data retention and deletion
We retain personal data only for as long as necessary for the purposes of this Policy and to comply with legal obligations, resolve disputes and enforce our agreements. Reference periods are: Transaction data (amounts, status, identifiers, payer and recipient names, masked CPF/CNPJ, PIX key): up to 5 years, a period aligned with tax obligations, the recording of PIX itself in the financial system, and the limitation period for dispute resolution. Access and security logs (IP, device, events): from 6 to 12 months, depending on the log type, unless an incident investigation is ongoing. Support attachments and messages: up to 12 months after the support case is closed. PIX keys you save: while your account is active; you can remove them at any time in settings. Account and credentials: while the account is active. After closure, data is deleted or anonymised, except what the law requires to be retained for the periods above. After the applicable periods, data is deleted or anonymised to the extent technically feasible. Aggregate or anonymised data that does not identify you may be kept for analysis and improvements. You may request deletion or portability as described in the «User rights» section.
Security measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. Technical measures: include, among others, encryption in transit (TLS/HTTPS), secure storage of passwords (hashing with robust algorithms), protection of two-factor authentication credentials, role-based access control, security monitoring and logging, and secure development and deployment practices. Sensitive data is handled with particular care and access is restricted to what is strictly necessary. Organisational measures: internal confidentiality and data processing policies, training of staff with access to data, confidentiality agreements with providers and periodic assessment of risks and adequacy of measures. No system is infallible; in the event of a security incident that may materially affect your personal data, we will notify the competent authorities and, when required by law or appropriate, data subjects, within the applicable time limits. We recommend that you keep your credentials confidential, use two-factor authentication when available and notify us immediately if you suspect unauthorised access to your account.
User rights
Under applicable law (including the LGPD, for data subjects in Brazil), you may exercise the following rights over your personal data: Confirmation and access: to know whether we process your data and obtain a copy of it. Rectification: to correct incomplete or outdated data. You can update much of your data directly in account settings. Erasure / anonymisation: to request erasure of your data, subject to legal retention (e.g. transaction data kept for tax obligations). Account deletion may be requested in settings or through support. Portability: to receive, in a structured format, the data you have provided to us. Objection, restriction and withdrawal: to object to certain processing, request restriction, and withdraw consent where processing is based on it (without affecting what has already been done). Review of automated decisions: some anti-fraud protections (such as the MED mechanism, risk analysis and automatic blocks) use automated processing that may affect your access. You have the right to request human review of these decisions and to understand, in general terms, the criteria involved, through the contact channels. Complaint: you may lodge a complaint with the data protection authority; in Brazil, the ANPD (National Data Protection Authority). To exercise any right, contact the Data Protection Officer through the channels in the «Contact» section. We will respond within the time limits of the law (under the LGPD, generally up to 15 days). We may request identity verification to protect your data.
Minors and eligibility
The Platform is not intended for persons under 18 years of age (or the minimum age of majority in your jurisdiction, if higher). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor without parental or guardian consent where required by law, we will take steps to delete such data as soon as possible. If you believe that a minor has provided us with personal data, please contact us immediately through the channels indicated in the «Contact» section so that we can proceed with deletion. Use of the Platform by persons who do not have legal capacity to enter into contracts or who are in a jurisdiction where use of our services is prohibited may result in account closure and deletion of data to the extent permitted by law. We recommend that parents and guardians monitor minors' use of the internet and contact us in the event of improper use of the Platform by a minor.
Changes to the policy
We may change this Privacy Policy from time to time to reflect changes in our practices, the Platform, legal requirements or guidance from authorities. The date of the last update is shown at the top of the Policy (version and updatedAt). Substantive changes (e.g. changes to the purposes of processing, the types of data collected or data subject rights) will be communicated through the Platform (notice in the interface when logging in, highlight on the Policy page) or by email to the address associated with your account, with reasonable notice when possible. Continued use of the Platform after the new version takes effect may be deemed acceptance of the updated Policy, except where the law requires explicit consent for specific changes. We recommend that you review this page periodically. If you do not agree with the changes, you may close your account and stop using the Platform; data will be processed in accordance with the retention and deletion policy described in this Policy. In jurisdictions that require explicit consent for certain changes, we will seek consent before applying the new processing.
Contact and Data Protection Officer (DPO)
The data controller is the entity operating DeFlow, registered in the Commonwealth of the Bahamas. Data Protection Officer (DPO): for questions, requests regarding your personal data (access, rectification, erasure, portability, objection, restriction, review of automated decisions) or complaints, contact our DPO at [email protected]. You may also use the other official channels of the Platform (support page or the email [email protected]). Data protection authority: data subjects in Brazil may lodge a complaint with the ANPD (National Data Protection Authority), without prejudice to their other rights. We are committed to responding to legitimate requests within the time limits of applicable law (under the LGPD, generally up to 15 days). In the event of refusal or restriction of the exercise of a right, we will inform you of the reasons. For your security, we may request identity verification before disclosing or amending personal data.