1. Who we are
BlueLock SA, CNPJ 48.123.456/0001-78, headquartered at Av. Paulista 1000 — São Paulo, is the controller of your personal data. For privacy questions, write to our Data Protection Officer (DPO) at privacidade@bluelock.app.
Privacy Policy · LGPD
Last updated: May 19, 2026. Version 3.0.
This policy describes how BlueLock collects, uses, stores, and protects your data under Brazil's General Data Protection Law (LGPD — Law 13.709/2018) and Switzerland's Federal Data Protection Act (LFSP). Version 3.0 adds the treatment of data tied to CHF APY yield, CDB BlueLock, and Web App access.
BlueLock SA, CNPJ 48.123.456/0001-78, headquartered at Av. Paulista 1000 — São Paulo, is the controller of your personal data. For privacy questions, write to our Data Protection Officer (DPO) at privacidade@bluelock.app.
To open and operate your CHF account, we collect: (a) identification data — full name, CPF, RG or passport, date of birth, photo; (b) contact data — email, phone, residential address; (c) financial data — statements, income proof when requested, source-of-funds declaration for deposits above Enhanced Due Diligence thresholds; (d) biometric data — video selfie captured via Web App during KYC; (e) usage data — Web App access logs, IP, browser device fingerprint, 2FA sessions; (f) product accounting data — free CHF balance, principal and term of active CDBs, date of first CHF deposit (anchor for the progressive withdrawal schedule), history of APY yield credits and of withdrawals released by the progressive schedule.
Your data is used strictly to: (a) meet regulatory obligations to BACEN (Brazil) and FINMA (Switzerland); (b) prevent fraud, money laundering, and terrorism financing (AML/KYC); (c) operate your account — Web App authentication, transfer processing, monthly calculation and credit of APY yield (18.5%) on free CHF balance, CDB accounting (principal, term, maturity), progressive withdrawal schedule calculation from the anchor of first CHF deposit; (d) generate tax reports supporting the client's CBE/IRPF declarations; (e) customer service. We don't share data with third parties for marketing.
We process your data on the basis of: (a) contract execution (art. 7, V LGPD) — to operate the account, credit monthly APY yield, manage CDBs and the progressive withdrawal schedule; (b) legal obligation (art. 7, II) — for BACEN/FINMA compliance and taxation; (c) legitimate interest (art. 7, IX) — for fraud prevention and the internal accounting of the yield product; (d) consent (art. 7, I) — only for purposes not covered by the above.
We share your data with: (a) Swiss partner bank UBS (required for CHF custody, including the pool subject to the progressive withdrawal schedule and the CDB pool); (b) BR partner bank Banco Inter (required for BRL custody); (c) KYC and AML providers (required for compliance); (d) regulatory authorities when legally required. All partners are contractually bound to protection levels equivalent to LGPD. We do not share your data for third-party marketing.
Data may be transferred to Switzerland for CHF operations, including product accounting data tied to APY yield and CDBs. Switzerland has an adequate level of protection recognized by Brazil's ANPD. For other countries (rare, only in cases of international SWIFT), we apply standard contractual clauses.
KYC, financial operation data, APY yield credit history, and CDB history (principal, rate, term, maturity, liquidation): 10 years after account closure, under Law 9.613/98 (AML) and BACEN regulation. Web App access logs: 6 months. KYC selfie biometric data: 2 years after use. The progressive-schedule anchor (date of first CHF deposit) follows the financial history.
You may, at any time: (a) access data we hold about you, including the full history of credited APY yield and contracted CDBs; (b) correct incorrect data; (c) anonymize, block, or delete unnecessary or excessive data — subject to the legal retention periods in clause 7; (d) port data to another provider; (e) object to processing; (f) revoke consent. Reply within 15 business days at privacidade@bluelock.app.
We adopt: AES-256 encryption at rest, TLS 1.3 in transit, mandatory 2FA for Web App login, biometrics where supported by the browser/device (WebAuthn), ongoing SOC 2 Type II audit, segregation of duties, complete access log, accounting segregation between free balance, CDB principal, and the progressive-withdrawal pool. In case of a security incident, we notify ANPD within 48 hours and the affected client via email + Web App notification.
This policy may be updated to reflect regulatory or operational changes, including evolution of the APY yield product, the CDB, or the progressive withdrawal schedule. Previous versions are archived. Significant changes are notified by email + Web App notification 30 days before taking effect. Current version: 3.0. Last revision: May 19, 2026.
Our DPO (Data Protection Officer) responds within 15 business days.
privacidade@bluelock.app