Privacy Policy

International Payment Solutions Ltda. ("IPS", "we", "us", "our") — a Sociedade Empresária Limitada, CNPJ 65.324.247/0001-09, with its registered office in São Paulo, Brazil — is the controller of the personal data described in this Policy.

This Policy covers personal data processed by IPS, including data collected through this website (ips.finance) and data processed in connection with IPS's products and services. Where a product has its own privacy notice on its consumer surface, that notice governs the product-specific processing and should be read together with this Policy.

IPS has designated a Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais), responsible for data-protection matters and acting as the point of contact for data subjects and for the Autoridade Nacional de Proteção de Dados (ANPD). You can reach the Data Protection Officer at dpo@ips.finance.

Depending on how you interact with IPS, we may process:

• Website-visitor data. When you use ips.finance — for example, our contact or institutional-access forms — we process the information you provide (such as your name, email address, organisation, and role) and limited technical data generated by your visit (such as IP address, device and browser information, and security and anti-abuse data such as captcha results and server logs).
• Customer and onboarding data. Where you use an IPS product, we process the data needed to identify you and operate the service: identity and contact details; identity-verification data, including identity documents and, where applicable, biometric data; for business customers, corporate and beneficial-ownership information; and screening data such as sanctions and politically-exposed-person (PEP) results.
• Transaction data. Information about the operations you carry out, including amounts, currencies, counterparties, and the records required to evidence and supervise each operation.

Biometric data and certain other categories are treated as sensitive personal data under the LGPD and receive the additional protections the law requires.

We process personal data to:

• provide and operate the Site and our products;
• identify and onboard customers and meet know-your-customer (KYC) and know-your-business (KYB) requirements;
• carry out sanctions, PEP, and anti-money-laundering and counter-terrorist-financing (AML/CFT) screening and monitoring;
• process and reconcile transactions and maintain the records required to evidence them;
• meet our legal, regulatory, tax, and reporting obligations;
• secure our systems and prevent fraud and abuse;
• respond to enquiries and institutional-access requests; and
• where you have agreed, send you communications you have asked to receive.

We rely on the following legal bases under the LGPD (and, for data subjects in the European Union, the corresponding bases under the GDPR):

• Compliance with a legal or regulatory obligation — for KYC/KYB, AML/CFT, sanctions screening, transaction records, and reporting (LGPD art. 7, II, and art. 11, II for sensitive data; GDPR art. 6(1)(c), and art. 9 where applicable).
• Performance of a contract, or pre-contractual steps taken at your request — to provide a product or service you have asked for (LGPD art. 7, V; GDPR art. 6(1)(b)).
• Legitimate interests — for security, fraud prevention, and the proper operation of the Site and our services, balanced against your rights and freedoms (LGPD art. 7, IX; GDPR art. 6(1)(f)).
• Consent — where we ask for it, such as for optional communications; you may withdraw consent at any time (LGPD art. 7, I; GDPR art. 6(1)(a)).
• Regular exercise of rights — including in judicial, administrative, or arbitral proceedings (LGPD art. 7, VI).

We share personal data only with the parties needed to deliver, secure, and supervise our services, including:

• the câmbio institution authorised by the Banco Central do Brasil through which regulated foreign-exchange operations are executed;
• identity-verification, document-validation, and sanctions/PEP-screening providers;
• Brazilian corporate registries, for business-customer verification;
• infrastructure, hosting, and security providers that process data on our behalf under appropriate contractual safeguards; and
• authorities, regulators, and courts, where required by law.

We do not sell personal data, and we do not share it for third-party marketing.

Some operations involve transfers of personal data across borders — for example, inbound funding from accounts in other countries (including via ACH and SEPA) and the use of service providers located outside Brazil. Where personal data is transferred internationally, we apply the safeguards required by the LGPD for international transfers. For personal data of individuals in the European Union transferred outside the EU, we rely on an appropriate transfer mechanism under the GDPR, such as standard contractual clauses.

We keep personal data only for as long as necessary for the purposes described in this Policy, and for the periods required by applicable financial-services, AML/CFT, tax, and other regulation. Records relating to customer due diligence and transactions are generally retained for the minimum periods set by Brazilian AML/CFT and financial regulation — commonly at least five years after the end of the relationship or the operation — after which they are deleted or anonymised.

Subject to the conditions and exceptions in the applicable law, you have the right to:

• confirm that we process your data, and access it;
• correct incomplete, inaccurate, or out-of-date data;
• request anonymisation, blocking, or deletion of data that is unnecessary, excessive, or processed in breach of the law;
• request portability of your data;
• object to, or request restriction of, certain processing;
• request deletion of data processed on the basis of consent, and withdraw that consent;
• obtain information about the entities with which we have shared your data; and
• request review of decisions taken solely on the basis of automated processing that affect you.

Data subjects in the European Union have the equivalent rights under the GDPR. Some rights are limited where we are required by law to retain or process the data — for example, AML/CFT and transaction records we must keep regardless of a deletion request.

To exercise any of these rights, contact our Data Protection Officer at dpo@ips.finance. We may need to verify your identity before acting on a request, and we will respond within the timeframes set by the applicable law. You also have the right to lodge a complaint with the ANPD (in Brazil) or, for EU data subjects, with your local data-protection supervisory authority.

We apply technical and organisational measures appropriate to the sensitivity of the data, including: encryption of data in transit and at rest; access controls on a least-privilege basis and segregation of duties; data minimisation and purpose limitation; continuous monitoring of our systems; audit logging of access to personal data; and incident-response procedures.

Where card-funded payments are processed, card data is handled in line with the Payment Card Industry Data Security Standard (PCI DSS), and IPS does not store full card data on its own systems. Our audit infrastructure records cryptographic proofs (hashes) of events to support tamper-evidence; it does not place personal data on any external or distributed ledger.

No system can be guaranteed to be completely secure, but we work to protect personal data on an ongoing basis.

We may update this Policy from time to time. When we do, we will revise the "Effective date" above and post the updated Policy here. Where a change is material, we will take additional steps to communicate it as appropriate.

This Policy is effective as of 18 June 2026.

Controller: International Payment Solutions Ltda. — CNPJ 65.324.247/0001-09 — São Paulo, Brazil. Data Protection Officer: dpo@ips.finance.