1. INTRODUCTION

Brazilian Law No. 13,709 of August 14, 2018 (General Data Protection Law – LGPD) is a set of rules that protects and enables individual rights to privacy and protection of personal data (Data). The law establishes privacy rules on how personal data can be used by third parties, respecting the individual choices of the holder (owner) of this data.

In order to enable the performance of its activities, the Travelex Confidence Group collects, stores and processes Data from employees, job applicants, contracted employees, consultants, customers and suppliers, and will always process this Data appropriately, in accordance with the LGPD and this policy.

All actions/practices/premises established in this Policy will be in force for Travelex Confidence Group companies upon the entry into force of the LGPD.

2. OBJECTIVE

Support the governance of the privacy and data protection program, establishing the data protection requirements that must be applied throughout the Travelex Confidence Group, in order to comply with applicable laws and regulations, and global guidelines related to the subject.

This Policy should be read in conjunction with the relevant standards that are referenced in this document.

3. SCOPE AND APPLICABILITY

This Policy is applicable to all areas (whether business or administrative) that process, handle and/or treat personal information on behalf of the companies Travelex Banco de Câmbio SA (“Bank”) and Confidence Corretora SA (“Broker”) of the Travelex Confidence Group.

For the application of this Policy, the processing of personal data must be considered, as well as data that in some way are intended to constitute part of a filing system (for example, online and offline records, held in any electronic or digital format, which extends to “cloud” data storage and backup solutions).

4. CONCEPTS

5. PRINCIPLES

5.1. DATA PROTECTION

In order to comply with the LGPD and data protection, the Travelex Confidence Group has adopted the legal principles set out below, which will be respected in all acts relating to the processing of personal data.

5.2. LEGALITY, JUSTICE AND TRANSPARENCY

Personal data is processed in a lawful, fair and transparent manner.

The Travelex Confidence Group will only process Personal Data for which it has a legal basis, as defined in the LGPD.

Consents for the use of data will always be obtained in a recordable form and archived by the Travelex Confidence Group.

5.3. PURPOSE LIMITATION AND DATA MINIMIZATION

The Travelex Confidence Group will process personal data for specific purposes identified and which have been expressly informed to the data subject. The data will not be used for purposes other than those informed to the individual, without notification regarding legal grounds or without the express consent of the data subject.

5.4. ACCURACY AND RECORD MAINTENANCE

Only necessary personal data will be processed, without processing any unnecessary data. These data will be updated as necessary, and in the event of inaccurate processing, reasonable measures will be taken to ensure that they are erased or corrected without delay, taking into account the purposes for which they are processed.

The accuracy of personal data will be verified at the time of collection and kept updated until the end of data processing.

Travelex Confidence Group employees are instructed to correct in the relevant records/file system and inform the Data Protection Officer (DPO) whenever they find that the personal data processed is inaccurate. In the event of a request for rectification of a record, formal confirmation that the record has been changed will occur within 15 (fifteen) days.

5.5. STORAGE LIMITATION

Personal data should be retained only for as long as necessary to fulfil the original purpose for which it was collected. The Document Retention Standard sets out how long information containing personal data will be stored and the criteria used to determine the period.

After the retention period expires, unless there is a new supervening reason to retain them beyond the standard period, records containing personal data will be securely deleted and may also be anonymized, as established in the LGPD.

5.6. INTEGRITY AND CONFIDENTIALITY

The Travelex Confidence Group uses appropriate technical and/or organizational measures to guarantee the security of personal data, including its protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

The circumstances behind the processing, the available technology, the cost of implementing protective measures and the size of the risk posed to individuals in the processing are taken into account.

For Travelex Confidence Group employees, this principle refers to:

a) Only access personal data that you have permission to do and exclusively for authorized purposes – if in doubt, contact the DPO;

b) Not allow any other person, including other Group employees, to access personal data unless it has verified that they have the appropriate permissions;

c) Keep personal data secure (for example, by complying with rules on access to premises, computers, password protection, encryption and secure storage and destruction of files and other precautions set out in the Travelex Confidence Group Cyber ​​Security Policy);

d) Not remove personal data (including personal data in paper files) or devices containing personal data (or that can be used to access it) from Travelex Confidence Group premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to protect the information and the device;

e) Do not store personal data on local drives or on personal devices used for work purposes, without prior authorization from your superior.

6. CORPORATE GUIDELINES

6.1. SENSITIVE PERSONAL DATA

If the Travelex Confidence Group needs to process sensitive personal data, the special conditions that justify the processing will be verified, as defined in the LGPD.

6.2. SHARING OF PERSONAL DATA (IN OR OUTSIDE BRAZIL)

Personal Data may be shared with third parties only after appropriate safeguards and contractual provisions are in place.

a) Transfer of Personal Data to Third Parties

Travelex Confidence Group shares some of your personal data with certain types of recipients who will process your personal data on our behalf, for example, cloud service providers, which would include Amazon Web Services Inc., telecommunications services, payment gateways and security service providers.

We disclose your personal data to fraud prevention agencies, such as ThetaRay Ltd, in the provision of certain services. These agencies keep a record of our enquiries and record, use and pass on the information we provide to them to make assessments and help make decisions about you to prevent fraud and money laundering.

We share information about you with law enforcement or other government officials if we are required to do so by law or legal process, or when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity, such as financial crimes.

We share your information with third parties when:

a) you have given us prior consent to do so ; b) and we are processing your information through a trusted business partner, who is acting on the explicit instructions of the Travelex Confidence Group and in accordance with this Policy, confidentiality and security levels.

Our business partners include:
a) payment gateways and payment service providers; b) international money transfer service providers; c) identity verification providers and credit reference agencies; d) anti-fraud, anti-corruption and anti-money laundering check providers; e) cloud service and online security providers; f) third-party service providers to the Travelex Confidence Group; g) telecommunications, chat and network service providers ; h) marketing communications providers; i) online advertisers and targeted advertising providers; j) social networks.

Prior to sharing, the Third Party will be assessed by the Travelex Confidence Group in relation to its adherence to the obligations established in the LGPD, the Group’s policies on data privacy, and a “Data Processing Agreement” will be signed between the parties, through which the conditions between the Data Controller and the Data Processor will be established, regarding the processing of the data, including the description of the processing carried out.

In the event that the Travelex Confidence Group is acquired by a third party or enters into any type of merger or other acquisition, your information will, where necessary, be shared with the relevant party.”

Travelex Confidence Group does not share information for marketing purposes nor does it sell your information.

b) Transfer of Personal Data within the Travelex group of companies

The Travelex Confidence Group shares personal data with each other in order to enable the performance of the contracted services. Sharing is based on internal data processing agreements between the Group entities.

Travelex Confidence Group employees may share personal data with other employees within the Group if the recipient has a work-related need to know the information and the transfer complies with transfer restrictions.

c) Transfer of Data outside Brazil

The LGPD allows the transfer of personal data to countries that have legislation establishing the same level of data protection as the LGPD. The list of permitted countries will be considered on a case-by-case basis by the Travelex Confidence Group.

Prior to the transfer of data, the Travelex Confidence Group will:

1. Ensure that the country to which personal data is transferred has an adequate level of data protection;

2. Ensure that model contractual clauses are in place with the third party to guarantee the protection and security of the personal data transferred (as applicable);

3. Ensure that local data protection and privacy requirements have been met prior to data transfer.

6.3. DIRECT MARKETING

6.4. RIGHTS OF DATA SUBJECTS

The Travelex Confidence Group is prepared to meet the demands of Data Subjects regarding the use of their data. If necessary, please contact us as instructed in item 10.

Travelex Confidence Group employees who are aware of requests from Data Subjects regarding their personal data must address the requests to the DPO and return them to the requesting Data Subject within 15 days.

6.5. SECURITY

Travelex Confidence Group has security measures in place to protect the information provided through its websites against unauthorized disclosure, use, alteration or destruction. However, it clarifies that no transmission over the Internet can be guaranteed to be secure. Therefore, despite efforts to protect information, there is no way to guarantee the security of all information transferred over the Internet.

As part of the use of Travelex Confidence Group websites, the Holder is required to set up a username and password. The Holder is responsible for maintaining the confidentiality of his/her username and password, and is responsible for all activities carried out when registered using his/her username and password.

7. SPECIFIC CONSIDERATIONS – CUSTOMER DATA

Travelex Confidence Group collects personal data for the provision of Group services or through interaction with our websites, participation in our surveys or promotions. The information collected is information provided by customers, information collected automatically or information we receive from third parties.

Personal data is collected in the following ways:

7.1. INFORMATION PROVIDED BY CUSTOMERS

Customers provide information when purchasing or using Travelex Confidence Group services, when communicating with the Group (whether in writing, by telephone or by any other means), or when participating in any of the promotions or surveys.

In cases where the Travelex Confidence Group requests information, it will be collected on forms or on website pages, including when the customer registers an account with the Group:

a) When you sign up to receive the Travelex Confidence Group newsletter, your name, email address and information indicating how you heard about the Group will be collected. You may also be asked for information about your marketing preferences;

b) When you purchase any service from the Travelex Confidence Group, we will collect information necessary to complete the transaction you have purchased. This information may include your name, date of birth, home address, billing address, office address, email address, the form(s) of identification and the information contained in those forms of identification, mobile phone number, landline number, credit or debit card information, other payment details such as your banking information as required by us to complete your transaction and provide you with your payment options and travel details (including future travel dates and destinations).

7.2. INFORMATION COLLECTED AUTOMATICALLY

Travelex Confidence Group also collects certain information through automated means, such as cookies and web beacons, whenever you visit the Group’s websites or use its services. Note: More information can be found in the cookies section.

Details of your visits to the online services are collected. This includes your page interaction and activity on the online services website, including the website from which you came, the pages you viewed during your visit and the page you viewed immediately after leaving.

When you download the mobile application or access the services from a portable device, personal information such as your name, email address, username, password, system and mobile device information (e.g. Android or iOS) and your geographic location may be collected. Depending on your marketing and cookie preferences and your geographic location settings, you may be shown targeted marketing and advertising messages from the application. Information about your use of the application may also be collected for the purpose of improving the performance of the application and digital online services. Information collected automatically is used to:

a) Administer the websites for internal operations, including troubleshooting;

b) Ensure that the content of our websites is presented in the most effective manner for the user and their devices;

c) As part of efforts to keep the sites safe and secure;

d) Measure or understand the effectiveness of the advertising we serve to users and to deliver relevant advertising;

e) Make suggestions and recommendations to the user about products or services that may interest them;

f) Prevention and detection of crimes and public safety, through the collection of CCTV images of customers when they visit the Travelex Confidence Group facilities.

7.3. INFORMATION RECEIVED FROM THIRD PARTIES

Travelex Confidence Group receives information from third parties (including publicly available information). This information includes:

a) Non-personal information used to supplement existing information, such as demographic data and affluence metrics (e.g., socio-demographic groupings through matching zip code information);

b) Information about the Data Subject from other companies within the Travelex Confidence Group and other sources with whom the Group works to provide the services (including Group partners, third party payment and delivery service providers, advertising networks, analytics providers and identity verification services), credit reference agencies, fraud prevention services and social media platforms).

8. MANAGEMENT STRUCTURE AND PROCESS

8.1. HOW INFORMATION COLLECTED FROM CUSTOMER IS USED

The information is used in several ways. To provide the requested services, to keep data subjects informed and to improve their experience with the quality of the services.

a) To provide a requested service or perform a contract with the data subject:

1. Process and fulfill orders and otherwise provide the information and Travelex Confidence Group services you request;
2. Comply with any contract entered into between the holder and the Travelex Confidence Group for the provision of services;
3. Provide you with alerts, in-app messages or other messages and newsletters that you have registered to receive;
4. Provide service messages, including messages to notify you about changes to Travelex Confidence Group services or changes to our terms, conditions and policies.

b) For situations where there is consent from the holder

Referring to situations not directly related to the performance of the contracted services. How to contact the holder for marketing and research matters; verify geographic location to provide location-based services; allow the Travelex Confidence Group and third-party websites to display relevant and targeted advertisements.

c) For situations where there is a legitimate interest

1. Improve customer experience and the quality of Travelex Confidence Group services. This may include tracking emails to know when they are opened and read and the type of device from which the emails are accessed;
2. Data analysis and research to enable us to gain insights and help make Travelex Confidence Group services personalized and relevant, as well as to develop business processes and the Group’s services. When doing this, we anonymize the data so that we can continue to use it for analysis and research after the period in which it was used to process the services.

8.2. Specific considerations – employee data

Travelex Confidence Group collects specific (but not exclusive) personal data relating to employees, apprentices, contractors, consultants and job applicants (all hereinafter referred to solely as “employees”), and only Personal Data necessary
for the operation of the business is requested. No other personal information is collected. In relation to special categories of personal data, Travelex Confidence Group adopts the standards set out below (except where the law allows otherwise):

a) During the pre-selection, interview and decision-making stages, questions will be asked relating to sensitive data (e.g. race or ethnic origin, union membership, health, disabilities), where there is a legal requirement for such data to be reported to government agencies;

b) Special categories of personal data will only be processed for the purposes of administering sick pay, maintaining sickness absence records, ensuring workplace health and safety, assessing fitness for work, monitoring care and facilitating work-related health and sickness benefits, monitoring opportunities and paying equality reports, where we need to comply with legal obligations or exercise rights in relation to employment, where necessary in relation to legal claims.

8.2.1. Access to and retention of Personal Data

Employees have the right to request access to information held about them from Travelex Confidence Group. The retention period for employee information is set out in the Document Retention Policy.

Travelex Confidence Group shall ensure that employees’ personal information is protected in a manner appropriate to its sensitivity and value. This shall be done in accordance with the requirements set out in the Corporate Cyber ​​Security Policy on access, monitoring, transfer, storage and backup.

8.2.2. Accuracy of employee personal information

For the purposes of keeping employee information up to date, each employee is encouraged to update his or her personal profile and other personal information held on Travelex Confidence Group systems whenever his or her personal circumstances change. The Group shall ensure that any notification received from an individual that his or her personal information is inaccurate or out of date is promptly acted upon.

8.2.3. Transfer to Third Parties

Employee personal information may be shared with third parties such as payroll providers, pension administrators and healthcare companies.

8.2.4. The following information is collected about employees:

WHY WE COLLECT/PROCESS DATA

• Recruitment and Selection
• Remuneration
• Benefits
• Training and Development
• Performance Management
• Internal and External Communication

WHAT WE COLLECT/PROCESS

• CV information, personal documents, proof of residence, contact telephone numbers, dependents’ documents, work visas, credit checks, certifications and references related to education/schooling, cover letter, ethnicity statement, medical and health reports, declaration of kinship, authorization for use of image and voice.

HOW WE COLLECT

• Directly with the employee;
• From suppliers (recruitment systems and agencies and educational institutions);
• From historical providers (credit bureau, assessment system suppliers, etc.);
• From the direct superior;
• From the Human Resources department;
• From colleagues.
  

  8.3 Service to Cryptoasset Accounts

  The Bank may offer services related to accounts linked to cryptoassets, subject to evaluation and individual agreement with the client. The service, operating conditions, fees and other aspects related to these accounts will be defined in specific contracts, observing the applicable legislation in Brazil, including, but not limited to, the rules issued by the Central Bank of Brazil and the Brazilian Securities and Exchange Commission (CVM), as well as the Bank’s internal policies.

  The client interested in operating with crypto-assets must provide additional information as required by compliance procedures (KYC/AML), and meet the specific regulatory requirements applicable to operations with digital assets.

9. RESPONSIBILITIES

All employees who handle and/or process personal information on behalf of Travelex Confidence Group companies, for any purpose, must comply with the requirements of this Policy. Employees responsible for managing the Policy, ensuring and monitoring its application, are expected to have appropriate training/qualification, whenever necessary.

Violation of this Policy may result in disciplinary action, up to and including termination of employment.

10. DPO – DATA PRICACY OFFICER

Responsible for handling issues related to the protection of the organization’s and its customers’ data. Assists the company in implementing and adapting its processes and structuring a compliance program focused on greater security of the information under its protection. Professional appointed by the Travelex Confidence Group to act as a communication channel between the Group, data subjects and the National Data Protection Authority (ANPD); (As amended by Law No. 13,853, of 2019).

Provide support and be a reference within the privacy program by advising senior leaders and stakeholders on data protection issues related to customers, partners and employees, especially those related to:

10.1. Implementation and governance of personal data protection:

Be responsible within the Travelex Confidence Group for the implementation and compliance with personal data protection policies and procedures, verify whether data processing complies with the LGPD and other applicable standards, identify and mitigate risks to data privacy and security.

10.2.  Preparation of opinions, guidance and training on the LGPD:

Provide training to Travelex Confidence Group employees on the LGPD, clarify doubts about the processing of personal data and the company’s obligations, and promote a culture of personal data protection within the organization.

10.3 . Preparation and review of documents:

Prepare and maintain updated documents such as privacy policy, record of personal data processing activities and other documents related to data protection.

10.4. Supplier risk analysis:

Determine in the contract approval flow whether the contract is subject to the LGPD. Perform a risk analysis of suppliers regarding the LGPD.

10.5. Security incident management:

In the event of a data security incident, including leaks or breaches of personal data, coordinate with the IT department the development and implementation of a response plan.

Be responsible for notifying the ANPD and data subjects about incidents, as required by the LGPD.

10.6 . Responding to requests from ANPD and personal data holders :

Be responsible for representing the Travelex Confidence Group before the ANPD (National Data Protection Agency), including responding to requests, providing necessary information and receiving audits and inspections.

Receive and respond to requests from data subjects, such as requests for access, rectification and deletion, received through all Travelex Confidence Group service channels.

10.7. Cooperation with other areas:

Cooperate with other departments of the Travelex Confidence Group on matters related to the LGPD, meeting any demands that may be necessary.

Integrate the personal data protection process into the company’s business, such as product development and the like.

DPO – Data Controller must:

1. Report directly to the presidency of the
2. Have access to leaders in key areas of the company;
3. Have resources (human and material) to perform their functions;
4. Have autonomy and intention to carry out your activities without your performance being pressured by financial results or commercial goals.

Any employee who has questions or concerns about data protection compliance, or considers that there has been any data breach or the security surrounding personal information has been compromised, should contact the Data Protection Officer (DPO) without delay by opening a “Data Security Incident”.

11. THIRD PARTY SERVICES

If you contract a service from a third-party company through the Travelex Confidence Group, you will provide your Personal Data directly to the service provider, to be processed as determined by it.

The Travelex Confidence Group will retain and process Personal Data in accordance with the provisions of this policy for the exclusive purpose of controlling contracts sent to partners.

For reference purposes, below are the links to access the Privacy Policies of the main partners of the Travelex Confidence Group.

12. COMMUNICATION CHANNEL

If you have any questions about this Policy or how Travelex Confidence Group processes personal data, please contact us by e-mail at
complaint@e-travelex.br.com.

13. RELATED DOCUMENTS

– Document Retention Standard;
– Law No. 13,709, of August 14, 2018 (Brazilian General Data Protection Law – LGPD;
– Global Data Protection & Privacy Policy.

14. REVIEW

This policy was reviewed, updated and approved on January 9, 2025. Subsequent reviews and updates should occur annually or in accordance with process reviews or adjustments to comply with legal or regulatory requirements.