Privacy Policy.
Noviuz Platform Privacy Policy — Version 2.0
Clear Language Summary
The Noviuz Platform is a technological infrastructure used to organize structures, relations, authorities, documents, decisions, processes, and records.
To make these features available, Personal Data may be processed in different contexts and by different participants.
Depending on the relationship, Personal Data may be processed, for example, by:
- Relevant Providers;
- Operators;
- Organizations;
- Partners;
- Service Providers;
- technology vendors.
Each participant is responsible for the processing they actually control or perform in accordance with their own purposes, decisions, instructions, contracts, and applicable obligations.
This means that there is not necessarily a single party responsible for any and all processing of Personal Data related to the Noviuz Ecosystem.
This Policy explains:
- what Personal Data may be processed;
- how this data may be obtained;
- for what purposes they may be used;
- how they may be shared;
- how international transfers may occur;
- how data is protected and retained;
- what rights may be available;
- how to contact us about privacy.
The participant responsible for a specific processing may be identified in the Interface, at the time of collection, in the service flow, in the applicable contract, or in a specific privacy notice.
1. SCOPE OF THIS POLICY
1.1. Object
This Privacy Policy, referred to as “Policy”, describes how Personal Data may be collected, used, stored, accessed, shared, transferred, protected, retained, or otherwise processed in the context of the Noviuz Platform and the relationships related to its use.
1.2. Application
This Policy applies, depending on the context, to the processing of Personal Data related to:
- websites and institutional pages;
- Platform Interfaces;
- account creation and administration;
- authentication and access control;
- use of features;
- support and communications;
- security;
- organization and monitoring of Structures;
- integrations;
- services related to the Platform.
1.3. Contextual processing
Different Interfaces, features, and services may involve different responsible participants.
The party responsible for specific processing may be identified:
- in the relevant Interface;
- at the time of data collection;
- in the service journey;
- in a commercial contract;
- in specific terms;
- in a complementary privacy notice;
- in another instrument applicable to the relationship.
1.4. Third-party services
Certain services accessible or integrated with the Platform may be provided by independent third parties.
When a third party independently determines the relevant purposes and means of its processing of Personal Data, its own privacy policy or notice may apply.
This Policy does not replace the privacy notices of independent third parties.
1.5. Relationship with other documents
This Policy should be read in conjunction, where applicable, with:
- the Terms of Use;
- specific contracts;
- Data Processing Agreements;
- terms of specific services;
- notices presented at the time of collection;
- regional supplements.
A more specific instrument shall prevail regarding the processing or relationship it actually regulates.
2. DEFINITIONS
For the purposes of this Policy:
2.1. Personal Data
“Personal Data” means any information related to an identified or identifiable natural person, or equivalent concept under applicable law.
2.2. Processing
“Processing” means any operation performed on Personal Data, including collection, access, use, organization, consultation, storage, analysis, transmission, sharing, restriction, archiving, deletion, or destruction.
2.3. Data Subject
“Data Subject” means the natural person to whom the Personal Data relates.
2.4. Platform
“Platform” or “Noviuz Platform” means the technological infrastructure defined in the Terms of Use.
2.5. Relevant Provider
“Relevant Provider” means the person or organization identified as responsible for providing a specific access, feature, or service related to the Platform.
Different features and services may have different Relevant Providers.
2.6. Operator
“Operator”, for the operational purposes of this Policy, means an organization that uses the Platform to organize, administer, or monitor relationships with its own clients, users, organizations, or Structures.
The use of the expression “Operator” in this Policy does not determine, by itself, its legal role under any data protection legislation.
2.7. Partner
“Partner” means an organization that maintains a commercial, institutional, technical, or operational relationship with a participant in the Noviuz Ecosystem.
2.8. Service Provider
“Service Provider” means an independent third party that provides a specific service accessible, related to, or integrated with the Platform.
2.9. Organization
“Organization” means any corporation, partnership, trust, foundation, association, fund, vehicle, or other legally or operationally organized arrangement represented or administered through the Platform.
2.10. User
“User” means any natural person who accesses or uses the Platform in their own name or on behalf of an Organization.
2.11. Structure
“Structure” means the organized set of people, organizations, relationships, assets, documents, powers, mandates, decisions, obligations, and records represented, organized, or monitored through the Platform.
3. RESPONSIBILITIES AND PRIVACY ROLES
3.1. Functional and contextual model
The Platform operates in an environment where different participants may process Personal Data for different purposes.
Therefore, a participant will not be automatically considered responsible for all processing related to the Noviuz Ecosystem just because they:
- use the Platform;
- provide an integration;
- participate in a commercial relationship;
- share infrastructure;
- act in a specific Interface;
- integrate a service into the ecosystem.
The role of each participant will be determined in accordance with:
- the activity actually performed;
- the purposes of the processing;
- who makes the relevant decisions;
- who determines the relevant means;
- existing instructions;
- applicable contracts;
- incident legal obligations.
3.2. Processing performed under instructions
In certain situations, a participant may process Personal Data on behalf of another participant, under documented instructions and within the contracted scope.
Such processing may include, for example:
- hosting;
- storage;
- technical processing;
- authentication;
- support;
- operation of features;
- security.
The respective roles, instructions, and responsibilities may be regulated in specific contracts or Data Processing Agreements.
3.3. Processing for own purposes
A participant may process Personal Data for purposes they independently determine, including, according to their role:
- administration of their own contractual relationship;
- security of their infrastructure;
- prevention and investigation of fraud;
- access control;
- billing;
- vendor management;
- defense of rights;
- compliance with legal obligations;
- response to incidents.
3.4. Distinct roles for distinct processing
The same participant may perform different roles in different processing activities.
The applicable legal role will be analyzed in relation to the concrete processing, and not just the general identity or name of the organization.
3.5. Independent services
Independent Service Providers may process Personal Data under their own responsibilities when providing, for example:
- financial services;
- payments;
- exchange;
- custody;
- legal services;
- accounting or tax services;
- fiduciary services;
- corporate services;
- identity verification;
- due diligence;
- other professional or regulated services.
In these cases, the respective provider may provide their own privacy policy.
4. PERSONAL DATA THAT MAY BE PROCESSED
The categories of Personal Data depend on the features used, the existing relationship, and the participants involved. Not all categories described below are processed in all situations.
4.1. Account and contact data
May include:
- name;
- email address;
- telephone number;
- organization;
- position or role;
- language;
- communication channels;
- account identifiers.
4.2. Authentication, use, and security data
May include:
- login records;
- sessions;
- authentication events;
- MFA records;
- IP addresses;
- device and browser information;
- technical logs;
- application events;
- access attempts;
- security alerts.
4.3. Professional and organizational data
May include:
- position;
- role;
- organization;
- corporate link;
- fiduciary role;
- powers of representation;
- participation in entities;
- professional or operational relationship with an Organization or Structure.
4.4. Data related to Structures and relationships
Depending on the use of the Platform, data related to the following may be processed:
- entities and organizations;
- beneficiaries;
- administrators;
- directors;
- signatories;
- representatives;
- attorneys-in-fact;
- mandates;
- powers;
- relationships between people and organizations;
- roles and responsibilities.
4.5. Content submitted to the Platform
May include:
- documents;
- contracts;
- powers of attorney;
- resolutions;
- minutes;
- receipts;
- instructions;
- communications;
- files;
- evidence;
- other content provided in the context of a specific relationship.
4.6. Identification and verification data
When necessary for a specific relationship, feature, or service, the following may be processed:
- full name;
- date of birth;
- nationality;
- address;
- photograph;
- signature;
- document number or copy;
- government identifiers;
- information necessary for identity or representation verification.
4.7. Financial, wealth, or compliance data
When required by the nature of a specific relationship or service, data related to the following may be processed:
- assets;
- holdings;
- accounts;
- payments;
- transactions;
- source of funds;
- source of wealth;
- tax information;
- digital assets;
- eligibility;
- compliance checks;
- risk analysis or alerts.
This data is not necessarily processed by the same party nor for the same purposes.
4.8. Communications
May include:
- messages;
- requests;
- complaints;
- support communications;
- responses to forms;
- operational notes;
- institutional or commercial communications.
4.9. Derived data
Certain features may produce information derived from existing data, such as:
- process states;
- operational classifications;
- security indicators;
- alerts;
- pending tasks;
- relationships between records;
- access classifications.
5. HOW DATA IS OBTAINED
Personal Data may be obtained from the following sources.
5.1. Directly from the Data Subject
For example, when the Data Subject:
- creates an account;
- fills out a form;
- provides documents;
- uses a feature;
- sends a message;
- requests support;
- participates in a process related to a service.
5.2. From an Organization or Operator
Data may be provided by an Organization or Operator in the context of:
- access creation;
- organization of Structures;
- definition of roles;
- administration of permissions;
- execution of processes;
- representation of relationships or authorities;
- provision of services to their own clients or users.
5.3. From Partners and Service Providers
Data may be received from participants involved in a specific relationship, including providers of:
- identity;
- authentication;
- security;
- compliance;
- payments;
- corporate services;
- electronic signature;
- custody;
- professional services;
- technological infrastructure.
5.4. Automatically
Certain information is generated during the use of the Platform, such as:
- logs;
- sessions;
- IP address;
- device information;
- browser;
- authentication events;
- security events;
- application usage events.
5.5. From legitimate sources
When permitted by applicable law and relevant to the specific purpose, data may be obtained from:
- public registries;
- official databases;
- sanctions lists;
- regulatory sources;
- verification providers;
- legitimate open sources.
6. HOW DATA MAY BE USED
Personal Data may be processed, depending on the context, for the purposes below.
6.1. Provide the Platform
Including:
- create and administer accounts;
- authenticate users;
- control access;
- provide features;
- store information;
- process actions;
- organize Structures;
- maintain history and Records.
6.2. Manage roles, permissions, and processes
Including:
- assignment of access;
- configuration of roles;
- registration of permissions;
- administration of flows;
- registration of approvals;
- segregation of duties;
- monitoring of pending tasks.
6.3. Fulfill contractual relationships
Including:
- onboarding;
- administration of contracts;
- relationship management;
- billing;
- support;
- provision of contracted features or services.
6.4. Security and prevention of abuse
Including:
- authentication;
- security monitoring;
- prevention of unauthorized access;
- detection of abnormal behavior;
- investigation of incidents;
- prevention and investigation of fraud;
- protection of infrastructure and participants.
6.5. Diligence, eligibility, and compliance
When necessary for the specific relationship or service, data may be processed to:
- verify identity;
- verify representation;
- perform diligence;
- perform screening;
- evaluate eligibility;
- identify risks;
- comply with specific obligations;
- prevent illegal or abusive use.
The party responsible for this processing will depend on the flow and the concrete service.
6.6. Support and communication
Including:
- respond to requests;
- solve problems;
- investigate errors;
- provide support;
- send operational communications;
- communicate relevant changes;
- respond to complaints.
6.7. Development and improvement
Including:
- diagnose failures;
- measure performance;
- understand usage patterns;
- develop features;
- enhance security;
- improve the experience.
When appropriate, aggregated or de-identified data may be used.
6.8. Legal obligations and defense of rights
Including:
- compliance with legal obligations;
- response to valid orders;
- preservation of required records;
- investigation of irregularities;
- exercise and defense of rights;
- response to administrative, arbitral, or judicial proceedings.
7. LEGAL BASES OR JUSTIFICATIONS FOR PROCESSING
The applicable legal basis or equivalent justification depends on:
- the responsible participant;
- the purpose of the processing;
- the existing relationship;
- the category of data;
- the applicable law.
Depending on the context and the legal regime applicable, processing may be based on:
- contract performance;
- adoption of pre-contractual measures;
- compliance with legal obligations;
- legitimate interests, when recognized and applicable;
- consent, when required or appropriately used;
- exercise or defense of rights;
- other justifications recognized by applicable law.
The fact that consent is used for a specific activity does not mean that all processing related to the Platform depends on consent.
When processing depends on consent, rights regarding its withdrawal will be respected in accordance with applicable law.
8. SHARING OF DATA
Personal Data may be shared only to the extent necessary and appropriate for the respective purpose.
8.1. Organizations and Operators
Data may be shared with the Organization or Operator related to the User when necessary to:
- manage the relationship;
- organize the Structure;
- make access available;
- control permissions;
- monitor processes;
- execute activities under their responsibility.
8.2. Relevant Providers and Partners
Data may be shared with participants involved in providing a specific Interface, feature, operation, or contractual relationship.
8.3. Service Providers
Data may be shared with providers necessary for the relevant activity, including vendors of:
- hosting;
- storage;
- security;
- authentication;
- communication;
- support;
- electronic signature;
- identity;
- compliance;
- corporate services;
- professional services;
- payments and other integrated services.
8.4. Advisors and professionals
When necessary and subject to appropriate confidentiality duties, data may be shared with:
- lawyers;
- auditors;
- accountants;
- consultants;
- investigators;
- other professional advisors.
8.5. Authorities and legitimate third parties
Data may be shared when necessary to:
- comply with a legal obligation;
- respond to a valid determination;
- protect rights;
- investigate illegal acts;
- respond to judicial, arbitral, administrative, or regulatory proceedings.
8.6. Reorganizations and corporate transactions
Data may be shared in the context of:
- reorganization;
- investment;
- financing;
- acquisition;
- merger;
- asset sale;
- change of control;
- similar transaction.
In these situations, applicable protections will be observed.
8.7. Incompatible use
Personal Data will not be made indiscriminately available to third parties for use incompatible with the legitimate purposes related to the processing.
9. INTERNATIONAL PROCESSING AND TRANSFERS
9.1. Global operation
The Platform, its participants, users, and suppliers may operate in different countries or regions. Therefore, Personal Data may be stored, accessed, or processed in different jurisdictions.
9.2. Applicable safeguards
When applicable law requires specific safeguards for international transfers, the responsible participant will adopt an appropriate mechanism recognized by the respective legal regime.
Additional technical, organizational, or contractual measures may be used when necessary to the context and risk.
Additional information about specific transfers may be provided in:
- contracts;
- Data Processing Agreements;
- specific privacy notices;
- regional supplements.
10. DATA RETENTION
10.1. General principle
Personal Data will be kept for the period necessary and proportional to the purposes of the processing.
10.2. Criteria
Retention may consider:
- duration of the relationship;
- nature of the feature or service;
- operational need;
- nature and sensitivity of the data;
- security;
- fraud prevention;
- auditability;
- defense of rights;
- legal conservation obligations.
10.3. Different categories of records
Different periods may apply to different types of information, including:
- account data;
- operational content;
- documents;
- authentication records;
- security logs;
- audit trails;
- records subject to a specific conservation obligation;
- backups.
10.4. End of necessity
When retention is no longer necessary, data may be, as appropriate:
- deleted;
- anonymized;
- aggregated;
- isolated;
- archived under restricted access.
Specific periods may be established in contracts, terms of service, or regional notices.
11. HISTORICAL RECORDS AND PRIVACY RIGHTS
11.1. Preservation of history
Certain Platform features may use architectures where historical events are preserved and corrections, revocations, or alterations are recorded through new events.
11.2. Integrity and minimization
The design of the Platform must seek a balance between:
- integrity of records;
- security;
- auditability;
- data minimization;
- privacy;
- Data Subjects' rights;
- legal obligations.
11.3. Alternative measures
When direct deletion of a specific record is not technically appropriate or legally permitted, the following may be used, depending on the context:
- access restriction;
- pseudonymization;
- encryption;
- segregation;
- rectification by subsequent event;
- minimization of exposure;
- other legally appropriate measures.
11.4. Legal obligations prevail over technical design
No technical characteristic of the Platform eliminates mandatorily applicable rights or obligations.
The method of responding to a request must consider:
- applicable law;
- nature of the system;
- third-party rights;
- conservation obligations;
- security;
- integrity of records.
12. SECURITY AND INCIDENTS
12.1. Security measures
The responsible participants will adopt technical, administrative, and organizational measures reasonable and proportional to their role and the risk of the processing.
These measures may include:
- access controls;
- authentication;
- principle of least privilege;
- segregation of duties;
- encryption;
- logs;
- monitoring;
- backups;
- testing;
- vulnerability management;
- vendor controls;
- incident response procedures.
12.2. Shared responsibility
Security also depends on the actions of Users, Organizations, and other participants.
Users must:
- protect their credentials;
- use available authentication mechanisms;
- protect their devices;
- avoid unauthorized sharing of access;
- respect authority limits;
- communicate suspected incidents.
12.3. Incidents
When a security incident involving Personal Data occurs, the responsible participant will adopt reasonable and proportional measures to:
- investigate;
- contain;
- correct;
- reduce risks;
- preserve evidence;
- comply with communication obligations;
- cooperate with other relevant participants.
The responsibilities of each participant will depend on their role in the processing and applicable law.
12.4. Absence of absolute security
No technological system can be guaranteed to be completely immune to failures, attacks, incidents, or unauthorized access.
13. RIGHTS OF DATA SUBJECTS
Depending on applicable law, the Data Subject may possess rights related to their Personal Data, including:
- confirmation of the existence of processing;
- access;
- correction;
- update;
- exclusion or deletion;
- anonymization;
- restriction;
- objection;
- portability;
- information about sharing;
- review of certain automated decisions;
- withdrawal of consent;
- complaint before the competent authority.
The existence, extension, conditions, and exceptions applicable to each right depend on the relevant legislation.
13.1. How to exercise rights
Privacy-related requests may be directed to:
When another participant is responsible for the processing in question, the request may:
- be forwarded to the applicable responsible party; or
- be handled in cooperation with them.
13.2. Verification
It may be necessary to verify:
- identity of the requestor;
- legitimacy of the request;
- authority of any representative.
13.3. Limitations
Requests may be limited or refused when permitted by applicable law, including situations related to:
- retention obligation;
- third-party rights;
- security;
- fraud prevention;
- professional secrecy;
- defense of rights;
- inability to adequately verify the identity or authority of the requestor.
14. AUTOMATION AND DECISION-MAKING SUPPORT
Automated tools may be used to support activities such as:
- security;
- fraud prevention;
- identification of inconsistencies;
- prioritization of review;
- operational analysis;
- risk analysis.
The use of automation as support for human analysis does not mean, by itself, the existence of an exclusively automated decision.
When a responsible participant uses exclusively automated decisions in a way that generates specific rights under applicable law, those rights will be respected.
15. CHILDREN AND LEGALLY REPRESENTED PERSONS
The Platform is not, as a rule, intended for autonomous use by children or persons without sufficient legal capacity to accept the Terms of Use.
Data related to minors or legally represented persons may, however, be processed when legitimately necessary in the context of an Organization, Structure, or service.
In these situations, the processing must observe the safeguards and requirements of applicable law.
16. COOKIES AND SIMILAR TECHNOLOGIES
Websites and Interfaces related to the Platform may use:
- cookies;
- local storage;
- session identifiers;
- analytical tools;
- pixels;
- equivalent technologies.
These technologies may be used for:
- authentication;
- security;
- application functioning;
- session maintenance;
- preferences;
- performance measurement;
- usage analysis.
When required by applicable law, appropriate mechanisms shall be made available for:
- information;
- consent;
- refusal;
- preference management.
Additional information may be presented in the Interface itself or in the respective preferences panel.
17. COMMUNICATIONS
17.1. Operational communications
Communications necessary for the operation of the Platform or a specific relationship may be sent, including messages about:
- security;
- authentication;
- pending tasks;
- support;
- requests;
- service changes;
- important updates;
- incidents;
- contractual notices.
These communications are not necessarily promotional.
17.2. Institutional and commercial communications
Institutional or commercial communications may be sent in accordance with applicable law.
When there is an applicable opt-out or preference management mechanism, the recipient may use it to stop eligible promotional communications.
18. THIRD-PARTY SERVICES AND LINKS
The Platform may contain links, integrations, or connections to websites, applications, and services of third parties.
The use of these services may be subject to their own:
- terms;
- contracts;
- privacy policies;
- consent mechanisms;
- operational practices.
This Policy does not control the privacy practices of independent third parties.
19. CHANGES, REGIONAL NOTICES, AND CONTACT
19.1. Changes to this Policy
This Policy may be updated to reflect:
- changes in the Platform;
- new features;
- operational changes;
- new risks;
- technological evolution;
- regulatory changes;
- changes in the organization of the relationships of the Noviuz Ecosystem.
19.2. Versioning
Each version will be identified by:
- number or identifier;
- effective date;
- date of the last update.
19.3. Material changes
When appropriate to the context, material changes may be communicated by:
- email;
- Interface;
- notice on the website;
- Operator communication;
- other reasonably suitable means.
19.4. Regional supplements
Regional supplements may be made available when necessary to meet specific requirements of a specific jurisdiction.
These supplements may address, for example:
- additional rights;
- specific legal bases;
- local representatives;
- competent authorities;
- international transfer rules;
- specific rules on cookies;
- special categories of data;
- mandatory information.
When applicable, the regional supplement shall prevail exclusively regarding the mandatory matters of the jurisdiction it regulates.
19.5. Contact about privacy
Requests, questions, and demands related to privacy may be directed to:
Security reports:
General legal questions:
When another Relevant Provider, Operator, or Service Provider is responsible for a specific treatment, their contact details may be made available:
- na Interface;
- no momento da coleta;
- no contrato;
- no fluxo do serviço;
- em aviso específico.
The Data Subject should, whenever possible, direct their request to the participant identified as responsible for the relevant processing.