Privacy Policy

Transferbank Soluções LTDA, registered under CNPJ 56.932.914/0001-45, headquartered at R. Gen. Mário Tourinho, 1733 - sala 5 - Seminário, Curitiba - PR, CEP 80740-000, is the data controller for personal data processed through the TransferPay platform.

TransferPay is an international payment intermediation platform, operating as an electronic foreign exchange (eFX) institution under Resolution No. 277 of the Central Bank of Brazil, in partnership with BCB-authorized exchange banks.

This Privacy Policy describes how we collect, use, share and protect the personal data of our users — both merchants (lojistas) who contract our services and Brazilian consumers who make payments through our platform.

2.1 Merchants (abroad)

For registration, identity verification and regulatory compliance (KYC — Know Your Customer), we collect:

• Company name and trade name
• Business registration number in the country of origin and incorporation documents
• Full name, identity document and proof of address of partners and legal representatives
• Proof of address of the company's registered office
• Contact details: corporate email and phone number
• Banking details for settlement of receivables
• Information about the business model, products and services sold

These data form the KYC dossier required by Brazilian Central Bank foreign exchange regulations (CMN Resolution No. 4,753/2019 and related rules).

2.2 Brazilian consumers (buyers)

To process payments and meet regulatory obligations, we collect:

• CPF (individual) or CNPJ (legal entity)
• Full name
• Email address
• Mobile phone number

The CPF or CNPJ provided is used to query the Brazilian Federal Revenue Service (Receita Federal), to verify the buyer's registration status, confirm legal age (for individuals) and confirm company status (for legal entities).

2.3 Technical and browsing data

• IP address and device/browser information
• Session and analytics cookies (Google Analytics)
• Platform access logs

Data processing by TransferPay is based on the following legal grounds under Brazilian Law No. 13,709/2018 (LGPD):

• Contract performance (Art. 7, V): processing necessary to deliver the services contracted by the merchant.
• Legal or regulatory obligation (Art. 7, II): compliance with Central Bank of Brazil rules (Resolution No. 277 and related regulations), ACAM220 reporting, and Receita Federal queries.
• Credit protection (Art. 7, X): verification of the consumer's registration status at Receita Federal.
• Legitimate interest (Art. 7, IX): fraud prevention, anti-money laundering and prevention of platform misuse.
• Consent (Art. 7, I): for marketing communications and non-essential cookies.

Personal data collected may be shared with:

• Partner exchange bank (BCB-authorised): for settlement of FX transactions and compliance with regulatory obligations, including ACAM220 registration.
• Central Bank of Brazil (BCB): in compliance with mandatory FX transaction reporting obligations.
• Brazilian Federal Revenue Service (Receita Federal): CPF/CNPJ queries for consumer verification.
• Technology service providers: infrastructure, email and hosting providers, under confidentiality and data protection contracts.

We do not sell, rent or share personal data with third parties for commercial purposes.

As we serve merchants located outside Brazil, some data may be transferred to or processed on servers in other countries. We ensure such transfers take place with adequate safeguards, in compliance with Art. 33 of the LGPD, including data protection contractual clauses with our technology vendors.

• FX transaction and KYC data: minimum of 5 (five) years after the transaction, as required by the Central Bank of Brazil and Receita Federal.
• Merchant account data: for the duration of the contract and 5 (five) years after termination.
• Browsing and cookie data: as configured by the user and per each tool's policy, generally no longer than 24 months.

After the retention period, data is deleted or anonymised, unless retention is required by law, for legal proceedings, or to exercise legal rights.

Under the LGPD, you have the right to:

• Confirm whether your personal data is being processed
• Access the data we hold about you
• Correct incomplete, inaccurate or outdated data
• Request anonymisation, blocking or deletion of unnecessary data
• Request portability of your data to another provider
• Withdraw consent where processing is based on it
• Obtain information about data sharing
• Lodge a complaint with the Brazilian Data Protection Authority (ANPD)

To exercise your rights, contact us at: privacidade@transferpay.exchange

Some data cannot be deleted while a legal or regulatory obligation to retain it exists (e.g. FX transaction data required by the BCB).

We use the following types of cookies:

• Essential: required for platform operation (session, language preference). Cannot be disabled.
• Analytics: Google Analytics, to understand platform usage. Can be refused.

You can configure your browser to refuse non-essential cookies at any time.

We adopt appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or improper disclosure, including data encryption in transit (TLS/HTTPS), role-based access control and security monitoring.

This policy may be updated periodically. For material changes, we will notify registered users by email or by a prominent notice on the site, with at least 15 days' advance notice. Continued use of the platform after notification implies acceptance of the updated version.

For privacy and data protection queries, requests or complaints: