Skip to content

Privacy Policy · LGPD

Your data.
Your rules.

Last updated: May 19, 2026. Version 3.0.

This policy describes how BlueLock collects, uses, stores, and protects your data under Brazil's General Data Protection Law (LGPD — Law 13.709/2018) and Switzerland's Federal Data Protection Act (LFSP). Version 3.0 adds the treatment of data tied to CHF APY yield, CDB BlueLock, and Web App access.

1. Who we are

BlueLock SA, CNPJ 48.123.456/0001-78, headquartered at Av. Paulista 1000 — São Paulo, is the controller of your personal data. For privacy questions, write to our Data Protection Officer (DPO) at privacidade@bluelock.app.

2. What data we collect

To open and operate your CHF account, we collect: (a) identification data — full name, CPF, RG or passport, date of birth, photo; (b) contact data — email, phone, residential address; (c) financial data — statements, income proof when requested, source-of-funds declaration for deposits above Enhanced Due Diligence thresholds; (d) biometric data — video selfie captured via Web App during KYC; (e) usage data — Web App access logs, IP, browser device fingerprint, 2FA sessions; (f) product accounting data — free CHF balance, principal and term of active CDBs, date of first CHF deposit (anchor for the progressive withdrawal schedule), history of APY yield credits and of withdrawals released by the progressive schedule.

3. How we use your data

Your data is used strictly to: (a) meet regulatory obligations to BACEN (Brazil) and FINMA (Switzerland); (b) prevent fraud, money laundering, and terrorism financing (AML/KYC); (c) operate your account — Web App authentication, transfer processing, monthly calculation and credit of APY yield (18.5%) on free CHF balance, CDB accounting (principal, term, maturity), progressive withdrawal schedule calculation from the anchor of first CHF deposit; (d) generate tax reports supporting the client's CBE/IRPF declarations; (e) customer service. We don't share data with third parties for marketing.

4. LGPD legal basis

We process your data on the basis of: (a) contract execution (art. 7, V LGPD) — to operate the account, credit monthly APY yield, manage CDBs and the progressive withdrawal schedule; (b) legal obligation (art. 7, II) — for BACEN/FINMA compliance and taxation; (c) legitimate interest (art. 7, IX) — for fraud prevention and the internal accounting of the yield product; (d) consent (art. 7, I) — only for purposes not covered by the above.

5. Sharing

We share your data with: (a) Swiss partner bank UBS (required for CHF custody, including the pool subject to the progressive withdrawal schedule and the CDB pool); (b) BR partner bank Banco Inter (required for BRL custody); (c) KYC and AML providers (required for compliance); (d) regulatory authorities when legally required. All partners are contractually bound to protection levels equivalent to LGPD. We do not share your data for third-party marketing.

6. International transfer

Data may be transferred to Switzerland for CHF operations, including product accounting data tied to APY yield and CDBs. Switzerland has an adequate level of protection recognized by Brazil's ANPD. For other countries (rare, only in cases of international SWIFT), we apply standard contractual clauses.

7. Retention

KYC, financial operation data, APY yield credit history, and CDB history (principal, rate, term, maturity, liquidation): 10 years after account closure, under Law 9.613/98 (AML) and BACEN regulation. Web App access logs: 6 months. KYC selfie biometric data: 2 years after use. The progressive-schedule anchor (date of first CHF deposit) follows the financial history.

8. Your rights (LGPD)

You may, at any time: (a) access data we hold about you, including the full history of credited APY yield and contracted CDBs; (b) correct incorrect data; (c) anonymize, block, or delete unnecessary or excessive data — subject to the legal retention periods in clause 7; (d) port data to another provider; (e) object to processing; (f) revoke consent. Reply within 15 business days at privacidade@bluelock.app.

9. Security

We adopt: AES-256 encryption at rest, TLS 1.3 in transit, mandatory 2FA for Web App login, biometrics where supported by the browser/device (WebAuthn), ongoing SOC 2 Type II audit, segregation of duties, complete access log, accounting segregation between free balance, CDB principal, and the progressive-withdrawal pool. In case of a security incident, we notify ANPD within 48 hours and the affected client via email + Web App notification.

10. Changes to this policy

This policy may be updated to reflect regulatory or operational changes, including evolution of the APY yield product, the CDB, or the progressive withdrawal schedule. Previous versions are archived. Significant changes are notified by email + Web App notification 30 days before taking effect. Current version: 3.0. Last revision: May 19, 2026.

Questions about your data?

Our DPO (Data Protection Officer) responds within 15 business days.

privacidade@bluelock.app