At Base, we value the privacy and security of your personal information. This Privacy and Cookie Policy ("Policy") outlines how we collect, use, store, and protect the personal data of our employees, customers, partners, and visitors. Our mission is to handle your information with the utmost respect and confidentiality, in compliance with applicable laws and regulations, such as the General Data Protection Law (LGPD).
We are committed to providing transparency about our privacy practices and ensuring that your information is always protected. We appreciate your trust in Base and are always available to clarify any questions you may have regarding our privacy practices.
Objective
The Privacy Policy ("Policy") aims to inform how Base Exchange ("Base") handles personal data collected through internet applications and to reaffirm its commitment to the privacy, confidentiality, and security of all those who use our institutional channels, including employees, potential clients, and potential employees.
All personal information will be processed in accordance with the applicable Brazilian legislation regarding privacy and personal data protection, particularly Law No. 12.965/2014, known as the "Brazilian Internet Civil Framework," and Law No. 13.709/2018, known as the General Data Protection Law ("LGPD").
Application and Scope
This Policy applies to the personal data processing activities of our employees, as well as our clients and their users, potential clients, potential employees, visitors to our website, users of our platform or support systems such as WhatsApp, Skype, Email, suppliers, and others.
Definitions and Abbreviations
- Personal Data: Any information that allows the identification of a natural person, such as name, CPF (Brazilian tax identification number), identification document, physical address, email, phone number, etc.
- Sensitive Personal Data: Data defined by the LGPD as information with discriminatory potential, requiring more care during processing. According to the law, sensitive data includes information related to racial or ethnic origin, religious beliefs, political opinions, union or political/religious affiliation, health data, sexual life data, genetic or biometric data when linked to a natural person. Base does not collect sensitive data through its institutional channels covered by this Policy
- Processing or Process: Any operation of collection, storage, consultation, use, sharing, classification, reproduction, processing, and evaluation of Personal Data.
- Legal Bases: Legal hypotheses determined by the LGPD that authorize Base to process Personal Data. Every data processing activity performed by Base is grounded on a legal basis.
- Data Subject or Holder: The natural person to whom the Personal Data relates.
- Controller: The natural or legal person, public or private, responsible for making decisions regarding the processing of personal data.
- Processor: The natural or legal person, public or private, who processes personal data on behalf of the controller.
- Data Protection Officer (DPO): A person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).
- Group or Flowa Group: Includes (i) Flowa Technologies; (ii) Base Clearing; and (iii) Base Exchange.
Cookies
Cookies are files stored on your computer when you visit our website. When our website is visited, it sends the cookie to your computer or mobile device, where it is stored in a folder within your browser. Cookies do not transfer viruses or malware to your computer or mobile device because the information in a cookie does not change when moving between pages on the website, and it does not alter the functioning of your device. They act as logs (user activities) and are updated every time the website is accessed. We may collect information about your browsing when you consent to cookie collection through our website.
Why do we use Cookies?
We use cookies to analyze how users navigate our website, as well as to record and improve its performance and functionality. We may use cookies to track which pages on the website are most popular and what is the most effective way to link them. This also helps us identify if you found us through another website, allowing us to improve our future advertising campaigns.
Types of Cookies We Use
• Necessary Cookies: These cookies are essential for the operation of our website. Without these, our website would not function properly. They are stored temporarily as session data and expire when the browser is closed.
• Statistical Cookies: The information provided by analytical cookies allows us to analyze user behavior patterns, and this information is used to improve the overall user experience or identify areas of the website that need maintenance. This information is anonymous (it cannot be used to identify you and does not contain personal information such as your name or email address) and is only used for statistical purposes. Behavioral cookies are similar to analytical cookies and track your visit to the website, using this information to provide content tailored to your interests.
• Preference Cookies: Preference cookies allow the website to remember information that alters its behavior or visual appearance, such as preferred language or region.
Processing of Personal Data
Why Does Base Exchange Process Personal Data?
Base is committed to offering high-quality products and services and works daily to enhance its security measures and ensure the protection of Personal Data necessary for its activities. Data security involves respect and commitment to the proper use of this information, ensuring that it does not exceed the expectations of the Data Subjects and the purposes for which it was shared.
In addition to legal compliance, we follow strict internal procedures and develop technologies suited to the volume and sensitivity of the data being processed.
When interacting with Base’s products and services, the user may transfer information containing their Personal Data through the available functionalities in the channels, and these collections are limited to the minimum necessary to achieve our purposes.
Whenever possible, we process anonymized information so that the Data Subject cannot be identified, considering the use of reasonable and available technical means at the time of processing (especially through cookies).
When registering, it is important that the user enters only the information requested by Base, ensuring that the information is true and up to date. The responsibility for the accuracy, precision, and authenticity of the information provided in our registrations lies with the user.
If you are a teenager, make sure to be assisted and obtain your parents' or guardians' consent before applying for a job or submitting any information.
2. What Personal Data Is Collected?
Base may collect personal data provided directly by the user, by third parties, or automatically collected depending on the service being provided.
- Personal data provided directly by the User: Base will collect personal data entered or sent when accessing our channels (websites, social media, technological testing environments, or applications) or when contracting products and/or services provided by companies in the Base Group.
- Personal data provided by third parties: If you are an investor, we receive the registration data from the Authorized Participant and store the records of each transaction performed. If you are a user of our systems, we receive your registration data from the Authorized Participant for access to our operational systems and store data from your access, which may be used in audits and reports to the Authorized Participant with whom you have a relationship. Base may also receive personal data through third parties, such as clients, partners, or service providers, who have some form of relationship with the user. It is also possible that Base collects data from public databases made available by authorities (such as the Brazilian Federal Revenue Service, for example) or from third parties, or even publicly available data on websites or social media, always respecting privacy.
The data collected may be of various types, depending on the user's interaction (through the website, systems, email, phone, third-party social media, among others), as described below:
- Personal contact information: Includes any information that allows us to contact or verify the user's registration, such as full name, CPF (Brazilian tax identification number), date of birth, email, phone number, and other necessary contact or registration information.
- Service usage/communication information: As the user navigates and interacts on the platforms, Base may collect information about their actions, such as which links were accessed, which pages or content were viewed, how long they were viewed, which products the user engaged with, geolocation data, provider and browser data, among other similar statistics about their interactions.
- Technical information about the computer/mobile device: Information about the computer system or browser the user uses to access our channels, such as the IP address, operating system type, and type and version of the web browser.
- Financial information: Includes information about the transactions carried out.
- Human Resources information: Includes information from users applying for available positions, such as educational background, resumes, professional experience, and others.
For security purposes, Base may request additional data to prevent fraud attempts.
Purpose of Processing Personal Data
Base processes Personal Data primarily to offer products and services, facilitate commercial relationships, comply with contractual, legal, and regulatory obligations, and may, in certain cases, collect data for specific purposes, as outlined below:
- Customer Support: To assist through support channels and respond to inquiries, complaints, and requests. This generally requires the use of your contact details and registration information, as well as details about the products and services you have purchased.
- Service Provision: To enable and manage operations, user requests, product and service purchases.
- Compliance Processes: To fulfill legal obligations and conduct internal compliance processes, including, for example, the "Know Your Customer" (KYC), "Know Your Partner," and "Know Your Employee" processes.
- Whistleblower Channel: To address reports and complaints.
- Monitoring and Surveillance: To monitor orders and register transactions to ensure market security and integrity.
- Account Opening and Registration Maintenance: To identify the client, in compliance with regulatory requirements.
- Recruitment Processes: To provide job openings offered by the Base Group to candidates and manage the selection processes.
- Compliance with Legal/Regulatory Obligations: To fulfill legal or regulatory obligations.
- Fraud and Financial Crime Prevention and Investigation: For anti-money laundering (AML) evaluations, fraud prevention, asset concealment, combating terrorism financing, and the proliferation of weapons of mass destruction ("AML/CFT").
- Compliance with Judicial Orders: Base may use Personal Data to comply with judicial orders from competent authorities or regulatory bodies.
- Advertising: We may use your personal data to ensure you remain well-informed and make full use of our systems.
- Safeguarding Legitimate Interests: We process personal data to safeguard our legitimate interests, while respecting the principles of purpose and necessity.
Some examples of such activities include: - Initiating legal claims and preparing our defense in the event of litigation;
- Analyzing financial transactions to create strategic reports;
- Setting up monitoring systems for our facilities for security reasons;
- Business management activities, optimizing platform performance, and developing products and services;
- Sharing your personal data with partner companies to update/verify your personal information according to anti-money laundering regulations and other crime prevention measures;
- Improving our services to enhance user experience and offer customized products and channels that match your profile.
- Human Resources Management: We process personal data for people management purposes.
Some examples of such activities include: - Compliance with legal and regulatory obligations;
- Execution of employment contracts;
- Payroll and benefits management;
- Recruitment and selection;
- Training and development;
- Performance evaluation;
- Promoting health and safety at work;
- Access and security control; and
- Internal communication.
Sharing of Personal Data
Given Base's business sector, there are a number of mandatory data sharing requirements with regulators and market agents, such as Authorized Participants, Clearing Members, Custody Agents, and Government Authorities. Additionally, Base partners with other companies to facilitate its operations and provide its services. As such, Personal Data may be shared with other companies, service providers, authorities, and regulatory bodies in accordance with the purposes of data collection and the roles of each agent within the market infrastructure relationship chain. Below are some situations in which Base shares Personal Data:
- Suppliers, Service Providers, and Business Partners: Base contracts other companies to perform certain activities, such as payroll processing, timekeeping, data hosting services, auditing, benefits management, and specialized consulting, among others (data processors). These activities may involve the processing of Personal Data from Users in the course of service provision. Base evaluates its partners and includes clear provisions in its contracts with third parties to protect the privacy of data subjects, managing such provisions as needed.
- Public Authorities: For the purpose of fulfilling legal obligations, Base may share Personal Data with government authorities, such as the Central Bank of Brazil (BACEN), the Securities and Exchange Commission (CVM), and other regulatory agencies and governmental bodies.
- Flowa Group Companies: Base shares Personal Data among companies within the Flowa Group for the development of services and compliance with legal and regulatory obligations.
- Protection of Rights: Base reserves the right to access, read, preserve, and disclose any data necessary to comply with a legal or regulatory obligation, judicial or administrative order, or to protect the rights, property, or security of Base, its clients, and employees.
User Rights
As provided by Brazilian legislation, the User, as the data subject, has rights regarding their personal information, including the following:
To exercise these rights, Base may request additional information and documents in order to prevent fraud and comply with applicable legal provisions and guidelines from the National Data Protection Authority (ANPD).
Base may refuse to fulfill a user’s request regarding the exercise of the rights listed above if there are legitimate reasons for doing so. Examples of legitimate reasons include: (a) if the disclosure of information would violate Base's or third parties' trade secrets; (b) if the request for anonymization, blocking, or deletion of data conflicts with legal or regulatory obligations applicable to Base, or would prevent the broad and unrestricted defense of Base’s or third parties' rights, including in disputes of any nature.
Some requests may require a longer response time due to their complexity or potential impacts.
Data Retention Periods
Base follows the data retention periods for Personal Data in accordance with the applicable legislation.
Personal Data is stored for the time necessary to fulfill the purposes for which it was collected, unless there is any other reason for its retention, such as the fulfillment of legal, regulatory, or contractual obligations, as long as these are based on a legal foundation.
Periodically, Base technically analyzes the appropriate retention period for each type of Personal Data collected, considering its nature, the necessity of its collection, and the purpose for which it will be processed.
International Transfer of Personal Data
Base may transfer and process personal data in other countries, in accordance with the conditions set forth in the General Data Protection Law (LGPD) and will be subject to the obligations outlined in this Privacy Policy.
Data Security
Base adheres to all necessary security standards to preserve the confidentiality and integrity of Personal Data, as outlined in our applicable institutional policies, especially the Information Security and Cybersecurity Policy. This includes:
- Any and all Personal Data of Users that are under the control of Base or in the custody of any of its employees.
- Personal Data processed by our employees, representatives, or authorized partners, as long as they need access to such information, depending on the specific purposes for which the Personal Data was collected.
- The storage of Personal Data in all operational environments.
Base follows security protocols and measures to protect Personal Data. Access to information will be restricted to authorized individuals who are trained to use this information appropriately. Employees who misuse the information, violating this Privacy Policy, will be subject to legal measures as well as the penalties outlined in Base's disciplinary and ethical procedures.
Communications
If you have any further questions, comments, or suggestions related to this Policy, or if you suspect improper use of your Personal Data, please contact Base Exchange through the support channels available on our website or directly with the Data Protection Officer at encarregadodedados@baseexchangebr.com.
Base Exchange is not responsible for any false emails sent in its name, including misleading promises, fake offers, fraudulent forms, or any type of communication sent by third parties. Therefore, in case of doubt, please contact us through our official channels.
Base Exchange may change this Privacy Policy at any time. Any time a relevant condition of this Privacy Policy is altered, those changes will be valid, effective, and binding once the new version is published on our website.
Changes to this Privacy Policy
Base may modify this Privacy Policy at any time. Whenever a relevant condition of this Privacy Policy is changed, those changes will be valid, effective, and binding once the new version is published on our website.
To comply with the applicable data protection legislation, we inform you of the name and email address of the Data Protection Officer (DPO) at Base: Felipe Deco – encarregadodedados@baseexchnge.com.br. Through this address, you can exercise your data subject rights, request clarifications, and ask any questions regarding the LGPD.