Compliance document

Privacy Policy

This Policy describes how PangeaPay processes personal data from customers, website visitors, partners and job candidates, in accordance with the General Data Protection Law (Law 13,709/18) and other applicable regulations. Privacy here is not a footnote clause: it is part of the product.

Last updated: April 2026

1. Data controller

The controller of personal data processed under this Policy is PangeaPay, a Brazilian company that operates the exchange, PIX and cryptoactive platform available at pangeapay.org and its official applications.

For any communication regarding personal data, use the Data Protection Officer (DPO) channel described at the end of this document.

2. Glossary

GDPR
— General Personal Data Protection Law (Law 13,709/18).
Holder
— natural person to whom the personal data refer.
Controller
— person responsible for decisions regarding the processing of personal data.
Operator
— person who processes personal data on behalf of the controller.
DPO
— Data Protection Officer or Person in Charge of Processing Personal Data.
Personal data
— information related to an identified or identifiable natural person.
Sensitive personal data
— data on racial or ethnic origin, religious conviction, political opinion, biometric data, among others provided for by law.

3. Data we collect

We collect different categories of personal data depending on the relationship you have with PangeaPay. In general, the data collected falls into the following groups:

  • Identification data: full name, CPF, ID or equivalent document, date of birth, nationality and photo.
  • Contact data: email, telephone, home address and, when applicable, business address.
  • Financial and transactional data: bank accounts, PIX keys, wallet addresses, transaction history, amounts moved, counterparties and declared purpose.
  • Verification data: images of documents, proof of life (selfie or video), proof of residence and data extracted by OCR or facial biometrics.
  • Professional and asset data: profession, occupation, income range and assets declared for risk assessment purposes.
  • Technical and usage data: IP address, device identifiers, operating system, browser, pages visited, app usage events, cookies and session tokens.
  • Communications: messages exchanged with support, call recordings (when notified in advance) and contact forms.

We do not request sensitive personal data outside of cases required by law or regulation. When we collect biometrics, it is only to confirm identity in KYC processes, and the data is treated with encryption and restricted access.

4. Where the data comes from

The personal data we process may be collected from the following sources:

  • Directly from the holder, during registration, KYC, account opening, support and website forms.
  • From operational partners (KYC, biometrics, anti-fraud and blacklist providers) who verify or enrich information you have provided to us.
  • From public sources and regulatory bases, such as Federal Revenue, PEP, OFAC, UN and EU lists, whenever necessary to comply with legal or regulatory obligations.
  • Automatically, while browsing the website or using the app, through cookies, server logs and analytics tools.

5. What we use your data for

We only process personal data for specific, legitimate and informed purposes. The main ones are:

  • Registration, opening and maintenance of your account at PangeaPay.
  • Compliance with KYC obligations, prevention of money laundering (PLD/AML) and terrorist financing, in accordance with Law 14,478/22 and BACEN, CVM and COAF regulations.
  • Execution of the operations you contract: PIX, conversion between BRL, BRLA, USDT, USDC, BTC and other supported assets, and international remittances.
  • Prevention and detection of fraud, scams, misuse of the platform and violation of terms of use.
  • Customer service and dispute resolution.
  • Operational communication about your account, transactions, security and regulatory changes.
  • Marketing communications, when you have consented, with the possibility of opting out at any time.
  • Aggregate statistical analysis for product improvement, security and platform performance.
  • Compliance with court orders, requests from competent authorities and regular exercise of rights in proceedings.

6. Legal bases

Each purpose is supported by a legal basis provided for in the LGPD. The bases we use most frequently are:

  • Execution of contract — to provide the services you contracted for when opening the account.
  • Compliance with legal or regulatory obligation — for KYC, PLD/AML, tax withholding and reporting to authorities.
  • Legitimate interest — for fraud prevention, information security and continuous improvement of services, always with impact assessment.
  • Regular exercise of rights in processes — when we need to defend or prove our obligations.
  • Consent — for marketing communications and other hypotheses that depend on free, informed and unambiguous expression.

7. Who we share with

We do not sell personal data. We only share information with third parties who need it so you can use PangeaPay safely, or when required by law. The main recipients are:

  • Technology providers, cloud hosting, transactional email, anti-fraud, KYC, biometrics and analytics, hired as operators and subject to contractual data protection obligations.
  • Financial institutions, PIX partners, exchange partners, custodians and cryptoasset liquidity providers involved in executing the operations you contract.
  • Public authorities and regulatory bodies, when there is a legal obligation, court order or request with legal basis.
  • Auditors, lawyers and accountants, carrying out auditing, rights defense and regulatory compliance functions.
  • In the event of corporate reorganization (merger, acquisition, spin-off), the successor assumes the same obligations as set out in this Policy.

Detailed lists of operators and sub-operators can be requested from the DPO, subject to commercial confidentiality.

8. International data transfer

Some of the providers we use (especially cloud, anti-fraud and analytics) process data outside Brazil. In these cases, the transfer occurs in the circumstances provided for in the LGPD, with specific contractual clauses, recognized certifications or to execute a contract with the holder.

We assess the level of protection in the destination country and adopt additional safeguards when necessary.

9. How long do we keep

We keep your data for as long as strictly necessary to fulfill the purposes described and applicable legal obligations. The main deadlines are:

  • Registration and KYC data: for the term of the contractual relationship and for at least 5 years after termination, in accordance with PLD/AML legislation.
  • Financial transaction records: for the applicable legal minimum period, typically 5 to 10 years.
  • Access and audit logs: for up to 6 months, according to Marco Civil da Internet, which can be extended by legal request.
  • Communications and support tickets: for up to 5 years, for defense in administrative and legal proceedings.
  • Cookies and analytics: according to the terms described in our Cookies Policy, generally less than 24 months.

After the expiration of the deadlines, the data is deleted or anonymized, except in cases of mandatory storage provided for by law.

10. Your rights as a holder

The LGPD guarantees a series of rights that you can exercise at any time:

  • Confirmation of the existence of treatment.
  • Access to the data we process about you.
  • Correction of incomplete, inaccurate or outdated data.
  • Anonymization, blocking or deletion of unnecessary, excessive or processed data that does not comply with the LGPD.
  • Data portability to another supplier, observing commercial and industrial secrets.
  • Deletion of data processed with consent, except in cases of legal custody.
  • Information about the public and private entities with which we share data.
  • Information about the possibility of not providing consent and its consequences.
  • Revocation of consent, when applicable legal basis.

To exercise any of these rights, write to the DPO at the address indicated at the end of this document. We may request proof of identity before fulfilling your order. We will respond within 15 days, extendable in justified cases.

11. How we protect your data

We adopt technical and organizational controls to protect your data against unauthorized access, loss, alteration or improper disclosure. Among them:

  • Encryption in transit (TLS) and at rest for sensitive data and production bases.
  • Principle of least privilege: access to customer data is restricted to the minimum necessary, logged and reviewed periodically.
  • Mandatory multi-factor authentication for employees and administrators.
  • Environmental segregation between development, approval and production.
  • Continuous security monitoring, anomaly detection and incident response plan.
  • Formal backup, disaster recovery and periodic continuity testing policy.
  • Assessment of suppliers and contractual data protection clauses in every contract with an operator.

Despite all the controls, no system is completely immune. In the event of an incident that may result in significant risk or damage to data subjects, we will notify those affected and the ANPD in accordance with the LGPD.

12. Cookies and similar technologies

We use our own and third-party cookies for authentication, security, preferences, usage analysis and marketing. You can manage most cookies through your browser settings or through the preferences panel available on the website.

Details about specific cookies, purpose and deadline are available in our Cookies Policy.

13. Children and teenagers

PangeaPay services are intended for people over 18 years of age. We do not intentionally collect data from children or adolescents. If we identify a minor's registration, the account is closed and the data is deleted, unless there is a legal obligation to retain it.

14. Changes to this Policy

We may update this Policy from time to time. The current version is always the one published on this page, with the last updated date at the top. Relevant changes are communicated through official channels (email, app and website) with reasonable advance notice.

15. How to talk to the Person in Charge (DPO)

For any question related to personal data — including the exercise of holder rights, complaints and questions — please contact our Personal Data Processing Officer by email at compliance@pangeapay.org. Identify yourself and describe the request clearly so that we can respond within the deadline.

Questions about your data?

Talk to the Manager.

Requests from holders (access, correction, deletion, portability) and questions about data processing are answered by our DPO.

compliance@pangeapay.org