Noviuz
Noviuz
  • Platform
  • Governance
  • Partners
  • Company
PT Contact us
  • Platform
  • Governance
  • Partners
  • Company
  • Português
  • Contact us
Room 11 // Privacy

Privacy Policy.

Noviuz Platform Privacy Policy — Version 2.0

Version 2.0 • July 2026

Clear Language Summary

The Noviuz Platform is a technological infrastructure used to organize structures, relations, authorities, documents, decisions, processes, and records.

To make these features available, Personal Data may be processed in different contexts and by different participants.

Depending on the relationship, Personal Data may be processed, for example, by:

  • Relevant Providers;
  • Operators;
  • Organizations;
  • Partners;
  • Service Providers;
  • technology vendors.

Each participant is responsible for the processing they actually control or perform in accordance with their own purposes, decisions, instructions, contracts, and applicable obligations.

This means that there is not necessarily a single party responsible for any and all processing of Personal Data related to the Noviuz Ecosystem.

This Policy explains:

  • what Personal Data may be processed;
  • how this data may be obtained;
  • for what purposes they may be used;
  • how they may be shared;
  • how international transfers may occur;
  • how data is protected and retained;
  • what rights may be available;
  • how to contact us about privacy.

The participant responsible for a specific processing may be identified in the Interface, at the time of collection, in the service flow, in the applicable contract, or in a specific privacy notice.


1. SCOPE OF THIS POLICY

1.1. Object

This Privacy Policy, referred to as “Policy”, describes how Personal Data may be collected, used, stored, accessed, shared, transferred, protected, retained, or otherwise processed in the context of the Noviuz Platform and the relationships related to its use.

1.2. Application

This Policy applies, depending on the context, to the processing of Personal Data related to:

  • websites and institutional pages;
  • Platform Interfaces;
  • account creation and administration;
  • authentication and access control;
  • use of features;
  • support and communications;
  • security;
  • organization and monitoring of Structures;
  • integrations;
  • services related to the Platform.

1.3. Contextual processing

Different Interfaces, features, and services may involve different responsible participants.

The party responsible for specific processing may be identified:

  • in the relevant Interface;
  • at the time of data collection;
  • in the service journey;
  • in a commercial contract;
  • in specific terms;
  • in a complementary privacy notice;
  • in another instrument applicable to the relationship.

1.4. Third-party services

Certain services accessible or integrated with the Platform may be provided by independent third parties.

When a third party independently determines the relevant purposes and means of its processing of Personal Data, its own privacy policy or notice may apply.

This Policy does not replace the privacy notices of independent third parties.

1.5. Relationship with other documents

This Policy should be read in conjunction, where applicable, with:

  • the Terms of Use;
  • specific contracts;
  • Data Processing Agreements;
  • terms of specific services;
  • notices presented at the time of collection;
  • regional supplements.

A more specific instrument shall prevail regarding the processing or relationship it actually regulates.

2. DEFINITIONS

For the purposes of this Policy:

2.1. Personal Data

“Personal Data” means any information related to an identified or identifiable natural person, or equivalent concept under applicable law.

2.2. Processing

“Processing” means any operation performed on Personal Data, including collection, access, use, organization, consultation, storage, analysis, transmission, sharing, restriction, archiving, deletion, or destruction.

2.3. Data Subject

“Data Subject” means the natural person to whom the Personal Data relates.

2.4. Platform

“Platform” or “Noviuz Platform” means the technological infrastructure defined in the Terms of Use.

2.5. Relevant Provider

“Relevant Provider” means the person or organization identified as responsible for providing a specific access, feature, or service related to the Platform.

Different features and services may have different Relevant Providers.

2.6. Operator

“Operator”, for the operational purposes of this Policy, means an organization that uses the Platform to organize, administer, or monitor relationships with its own clients, users, organizations, or Structures.

The use of the expression “Operator” in this Policy does not determine, by itself, its legal role under any data protection legislation.

2.7. Partner

“Partner” means an organization that maintains a commercial, institutional, technical, or operational relationship with a participant in the Noviuz Ecosystem.

2.8. Service Provider

“Service Provider” means an independent third party that provides a specific service accessible, related to, or integrated with the Platform.

2.9. Organization

“Organization” means any corporation, partnership, trust, foundation, association, fund, vehicle, or other legally or operationally organized arrangement represented or administered through the Platform.

2.10. User

“User” means any natural person who accesses or uses the Platform in their own name or on behalf of an Organization.

2.11. Structure

“Structure” means the organized set of people, organizations, relationships, assets, documents, powers, mandates, decisions, obligations, and records represented, organized, or monitored through the Platform.

3. RESPONSIBILITIES AND PRIVACY ROLES

3.1. Functional and contextual model

The Platform operates in an environment where different participants may process Personal Data for different purposes.

Therefore, a participant will not be automatically considered responsible for all processing related to the Noviuz Ecosystem just because they:

  • use the Platform;
  • provide an integration;
  • participate in a commercial relationship;
  • share infrastructure;
  • act in a specific Interface;
  • integrate a service into the ecosystem.

The role of each participant will be determined in accordance with:

  • the activity actually performed;
  • the purposes of the processing;
  • who makes the relevant decisions;
  • who determines the relevant means;
  • existing instructions;
  • applicable contracts;
  • incident legal obligations.

3.2. Processing performed under instructions

In certain situations, a participant may process Personal Data on behalf of another participant, under documented instructions and within the contracted scope.

Such processing may include, for example:

  • hosting;
  • storage;
  • technical processing;
  • authentication;
  • support;
  • operation of features;
  • security.

The respective roles, instructions, and responsibilities may be regulated in specific contracts or Data Processing Agreements.

3.3. Processing for own purposes

A participant may process Personal Data for purposes they independently determine, including, according to their role:

  • administration of their own contractual relationship;
  • security of their infrastructure;
  • prevention and investigation of fraud;
  • access control;
  • billing;
  • vendor management;
  • defense of rights;
  • compliance with legal obligations;
  • response to incidents.

3.4. Distinct roles for distinct processing

The same participant may perform different roles in different processing activities.

The applicable legal role will be analyzed in relation to the concrete processing, and not just the general identity or name of the organization.

3.5. Independent services

Independent Service Providers may process Personal Data under their own responsibilities when providing, for example:

  • financial services;
  • payments;
  • exchange;
  • custody;
  • legal services;
  • accounting or tax services;
  • fiduciary services;
  • corporate services;
  • identity verification;
  • due diligence;
  • other professional or regulated services.

In these cases, the respective provider may provide their own privacy policy.

4. PERSONAL DATA THAT MAY BE PROCESSED

The categories of Personal Data depend on the features used, the existing relationship, and the participants involved. Not all categories described below are processed in all situations.

4.1. Account and contact data

May include:

  • name;
  • email address;
  • telephone number;
  • organization;
  • position or role;
  • language;
  • communication channels;
  • account identifiers.

4.2. Authentication, use, and security data

May include:

  • login records;
  • sessions;
  • authentication events;
  • MFA records;
  • IP addresses;
  • device and browser information;
  • technical logs;
  • application events;
  • access attempts;
  • security alerts.

4.3. Professional and organizational data

May include:

  • position;
  • role;
  • organization;
  • corporate link;
  • fiduciary role;
  • powers of representation;
  • participation in entities;
  • professional or operational relationship with an Organization or Structure.

4.4. Data related to Structures and relationships

Depending on the use of the Platform, data related to the following may be processed:

  • entities and organizations;
  • beneficiaries;
  • administrators;
  • directors;
  • signatories;
  • representatives;
  • attorneys-in-fact;
  • mandates;
  • powers;
  • relationships between people and organizations;
  • roles and responsibilities.

4.5. Content submitted to the Platform

May include:

  • documents;
  • contracts;
  • powers of attorney;
  • resolutions;
  • minutes;
  • receipts;
  • instructions;
  • communications;
  • files;
  • evidence;
  • other content provided in the context of a specific relationship.

4.6. Identification and verification data

When necessary for a specific relationship, feature, or service, the following may be processed:

  • full name;
  • date of birth;
  • nationality;
  • address;
  • photograph;
  • signature;
  • document number or copy;
  • government identifiers;
  • information necessary for identity or representation verification.

4.7. Financial, wealth, or compliance data

When required by the nature of a specific relationship or service, data related to the following may be processed:

  • assets;
  • holdings;
  • accounts;
  • payments;
  • transactions;
  • source of funds;
  • source of wealth;
  • tax information;
  • digital assets;
  • eligibility;
  • compliance checks;
  • risk analysis or alerts.

This data is not necessarily processed by the same party nor for the same purposes.

4.8. Communications

May include:

  • messages;
  • requests;
  • complaints;
  • support communications;
  • responses to forms;
  • operational notes;
  • institutional or commercial communications.

4.9. Derived data

Certain features may produce information derived from existing data, such as:

  • process states;
  • operational classifications;
  • security indicators;
  • alerts;
  • pending tasks;
  • relationships between records;
  • access classifications.

5. HOW DATA IS OBTAINED

Personal Data may be obtained from the following sources.

5.1. Directly from the Data Subject

For example, when the Data Subject:

  • creates an account;
  • fills out a form;
  • provides documents;
  • uses a feature;
  • sends a message;
  • requests support;
  • participates in a process related to a service.

5.2. From an Organization or Operator

Data may be provided by an Organization or Operator in the context of:

  • access creation;
  • organization of Structures;
  • definition of roles;
  • administration of permissions;
  • execution of processes;
  • representation of relationships or authorities;
  • provision of services to their own clients or users.

5.3. From Partners and Service Providers

Data may be received from participants involved in a specific relationship, including providers of:

  • identity;
  • authentication;
  • security;
  • compliance;
  • payments;
  • corporate services;
  • electronic signature;
  • custody;
  • professional services;
  • technological infrastructure.

5.4. Automatically

Certain information is generated during the use of the Platform, such as:

  • logs;
  • sessions;
  • IP address;
  • device information;
  • browser;
  • authentication events;
  • security events;
  • application usage events.

5.5. From legitimate sources

When permitted by applicable law and relevant to the specific purpose, data may be obtained from:

  • public registries;
  • official databases;
  • sanctions lists;
  • regulatory sources;
  • verification providers;
  • legitimate open sources.

6. HOW DATA MAY BE USED

Personal Data may be processed, depending on the context, for the purposes below.

6.1. Provide the Platform

Including:

  • create and administer accounts;
  • authenticate users;
  • control access;
  • provide features;
  • store information;
  • process actions;
  • organize Structures;
  • maintain history and Records.

6.2. Manage roles, permissions, and processes

Including:

  • assignment of access;
  • configuration of roles;
  • registration of permissions;
  • administration of flows;
  • registration of approvals;
  • segregation of duties;
  • monitoring of pending tasks.

6.3. Fulfill contractual relationships

Including:

  • onboarding;
  • administration of contracts;
  • relationship management;
  • billing;
  • support;
  • provision of contracted features or services.

6.4. Security and prevention of abuse

Including:

  • authentication;
  • security monitoring;
  • prevention of unauthorized access;
  • detection of abnormal behavior;
  • investigation of incidents;
  • prevention and investigation of fraud;
  • protection of infrastructure and participants.

6.5. Diligence, eligibility, and compliance

When necessary for the specific relationship or service, data may be processed to:

  • verify identity;
  • verify representation;
  • perform diligence;
  • perform screening;
  • evaluate eligibility;
  • identify risks;
  • comply with specific obligations;
  • prevent illegal or abusive use.

The party responsible for this processing will depend on the flow and the concrete service.

6.6. Support and communication

Including:

  • respond to requests;
  • solve problems;
  • investigate errors;
  • provide support;
  • send operational communications;
  • communicate relevant changes;
  • respond to complaints.

6.7. Development and improvement

Including:

  • diagnose failures;
  • measure performance;
  • understand usage patterns;
  • develop features;
  • enhance security;
  • improve the experience.

When appropriate, aggregated or de-identified data may be used.

6.8. Legal obligations and defense of rights

Including:

  • compliance with legal obligations;
  • response to valid orders;
  • preservation of required records;
  • investigation of irregularities;
  • exercise and defense of rights;
  • response to administrative, arbitral, or judicial proceedings.

7. LEGAL BASES OR JUSTIFICATIONS FOR PROCESSING

The applicable legal basis or equivalent justification depends on:

  • the responsible participant;
  • the purpose of the processing;
  • the existing relationship;
  • the category of data;
  • the applicable law.

Depending on the context and the legal regime applicable, processing may be based on:

  • contract performance;
  • adoption of pre-contractual measures;
  • compliance with legal obligations;
  • legitimate interests, when recognized and applicable;
  • consent, when required or appropriately used;
  • exercise or defense of rights;
  • other justifications recognized by applicable law.

The fact that consent is used for a specific activity does not mean that all processing related to the Platform depends on consent.

When processing depends on consent, rights regarding its withdrawal will be respected in accordance with applicable law.

8. SHARING OF DATA

Personal Data may be shared only to the extent necessary and appropriate for the respective purpose.

8.1. Organizations and Operators

Data may be shared with the Organization or Operator related to the User when necessary to:

  • manage the relationship;
  • organize the Structure;
  • make access available;
  • control permissions;
  • monitor processes;
  • execute activities under their responsibility.

8.2. Relevant Providers and Partners

Data may be shared with participants involved in providing a specific Interface, feature, operation, or contractual relationship.

8.3. Service Providers

Data may be shared with providers necessary for the relevant activity, including vendors of:

  • hosting;
  • storage;
  • security;
  • authentication;
  • communication;
  • support;
  • electronic signature;
  • identity;
  • compliance;
  • corporate services;
  • professional services;
  • payments and other integrated services.

8.4. Advisors and professionals

When necessary and subject to appropriate confidentiality duties, data may be shared with:

  • lawyers;
  • auditors;
  • accountants;
  • consultants;
  • investigators;
  • other professional advisors.

8.5. Authorities and legitimate third parties

Data may be shared when necessary to:

  • comply with a legal obligation;
  • respond to a valid determination;
  • protect rights;
  • investigate illegal acts;
  • respond to judicial, arbitral, administrative, or regulatory proceedings.

8.6. Reorganizations and corporate transactions

Data may be shared in the context of:

  • reorganization;
  • investment;
  • financing;
  • acquisition;
  • merger;
  • asset sale;
  • change of control;
  • similar transaction.

In these situations, applicable protections will be observed.

8.7. Incompatible use

Personal Data will not be made indiscriminately available to third parties for use incompatible with the legitimate purposes related to the processing.

9. INTERNATIONAL PROCESSING AND TRANSFERS

9.1. Global operation

The Platform, its participants, users, and suppliers may operate in different countries or regions. Therefore, Personal Data may be stored, accessed, or processed in different jurisdictions.

9.2. Applicable safeguards

When applicable law requires specific safeguards for international transfers, the responsible participant will adopt an appropriate mechanism recognized by the respective legal regime.

Additional technical, organizational, or contractual measures may be used when necessary to the context and risk.

Additional information about specific transfers may be provided in:

  • contracts;
  • Data Processing Agreements;
  • specific privacy notices;
  • regional supplements.

10. DATA RETENTION

10.1. General principle

Personal Data will be kept for the period necessary and proportional to the purposes of the processing.

10.2. Criteria

Retention may consider:

  • duration of the relationship;
  • nature of the feature or service;
  • operational need;
  • nature and sensitivity of the data;
  • security;
  • fraud prevention;
  • auditability;
  • defense of rights;
  • legal conservation obligations.

10.3. Different categories of records

Different periods may apply to different types of information, including:

  • account data;
  • operational content;
  • documents;
  • authentication records;
  • security logs;
  • audit trails;
  • records subject to a specific conservation obligation;
  • backups.

10.4. End of necessity

When retention is no longer necessary, data may be, as appropriate:

  • deleted;
  • anonymized;
  • aggregated;
  • isolated;
  • archived under restricted access.

Specific periods may be established in contracts, terms of service, or regional notices.

11. HISTORICAL RECORDS AND PRIVACY RIGHTS

11.1. Preservation of history

Certain Platform features may use architectures where historical events are preserved and corrections, revocations, or alterations are recorded through new events.

11.2. Integrity and minimization

The design of the Platform must seek a balance between:

  • integrity of records;
  • security;
  • auditability;
  • data minimization;
  • privacy;
  • Data Subjects' rights;
  • legal obligations.

11.3. Alternative measures

When direct deletion of a specific record is not technically appropriate or legally permitted, the following may be used, depending on the context:

  • access restriction;
  • pseudonymization;
  • encryption;
  • segregation;
  • rectification by subsequent event;
  • minimization of exposure;
  • other legally appropriate measures.

11.4. Legal obligations prevail over technical design

No technical characteristic of the Platform eliminates mandatorily applicable rights or obligations.

The method of responding to a request must consider:

  • applicable law;
  • nature of the system;
  • third-party rights;
  • conservation obligations;
  • security;
  • integrity of records.

12. SECURITY AND INCIDENTS

12.1. Security measures

The responsible participants will adopt technical, administrative, and organizational measures reasonable and proportional to their role and the risk of the processing.

These measures may include:

  • access controls;
  • authentication;
  • principle of least privilege;
  • segregation of duties;
  • encryption;
  • logs;
  • monitoring;
  • backups;
  • testing;
  • vulnerability management;
  • vendor controls;
  • incident response procedures.

12.2. Shared responsibility

Security also depends on the actions of Users, Organizations, and other participants.

Users must:

  • protect their credentials;
  • use available authentication mechanisms;
  • protect their devices;
  • avoid unauthorized sharing of access;
  • respect authority limits;
  • communicate suspected incidents.

12.3. Incidents

When a security incident involving Personal Data occurs, the responsible participant will adopt reasonable and proportional measures to:

  • investigate;
  • contain;
  • correct;
  • reduce risks;
  • preserve evidence;
  • comply with communication obligations;
  • cooperate with other relevant participants.

The responsibilities of each participant will depend on their role in the processing and applicable law.

12.4. Absence of absolute security

No technological system can be guaranteed to be completely immune to failures, attacks, incidents, or unauthorized access.

13. RIGHTS OF DATA SUBJECTS

Depending on applicable law, the Data Subject may possess rights related to their Personal Data, including:

  • confirmation of the existence of processing;
  • access;
  • correction;
  • update;
  • exclusion or deletion;
  • anonymization;
  • restriction;
  • objection;
  • portability;
  • information about sharing;
  • review of certain automated decisions;
  • withdrawal of consent;
  • complaint before the competent authority.

The existence, extension, conditions, and exceptions applicable to each right depend on the relevant legislation.

13.1. How to exercise rights

Privacy-related requests may be directed to:

privacy@noviuz.com

When another participant is responsible for the processing in question, the request may:

  • be forwarded to the applicable responsible party; or
  • be handled in cooperation with them.

13.2. Verification

It may be necessary to verify:

  • identity of the requestor;
  • legitimacy of the request;
  • authority of any representative.

13.3. Limitations

Requests may be limited or refused when permitted by applicable law, including situations related to:

  • retention obligation;
  • third-party rights;
  • security;
  • fraud prevention;
  • professional secrecy;
  • defense of rights;
  • inability to adequately verify the identity or authority of the requestor.

14. AUTOMATION AND DECISION-MAKING SUPPORT

Automated tools may be used to support activities such as:

  • security;
  • fraud prevention;
  • identification of inconsistencies;
  • prioritization of review;
  • operational analysis;
  • risk analysis.

The use of automation as support for human analysis does not mean, by itself, the existence of an exclusively automated decision.

When a responsible participant uses exclusively automated decisions in a way that generates specific rights under applicable law, those rights will be respected.

15. CHILDREN AND LEGALLY REPRESENTED PERSONS

The Platform is not, as a rule, intended for autonomous use by children or persons without sufficient legal capacity to accept the Terms of Use.

Data related to minors or legally represented persons may, however, be processed when legitimately necessary in the context of an Organization, Structure, or service.

In these situations, the processing must observe the safeguards and requirements of applicable law.

16. COOKIES AND SIMILAR TECHNOLOGIES

Websites and Interfaces related to the Platform may use:

  • cookies;
  • local storage;
  • session identifiers;
  • analytical tools;
  • pixels;
  • equivalent technologies.

These technologies may be used for:

  • authentication;
  • security;
  • application functioning;
  • session maintenance;
  • preferences;
  • performance measurement;
  • usage analysis.

When required by applicable law, appropriate mechanisms shall be made available for:

  • information;
  • consent;
  • refusal;
  • preference management.

Additional information may be presented in the Interface itself or in the respective preferences panel.

17. COMMUNICATIONS

17.1. Operational communications

Communications necessary for the operation of the Platform or a specific relationship may be sent, including messages about:

  • security;
  • authentication;
  • pending tasks;
  • support;
  • requests;
  • service changes;
  • important updates;
  • incidents;
  • contractual notices.

These communications are not necessarily promotional.

17.2. Institutional and commercial communications

Institutional or commercial communications may be sent in accordance with applicable law.

When there is an applicable opt-out or preference management mechanism, the recipient may use it to stop eligible promotional communications.

18. THIRD-PARTY SERVICES AND LINKS

The Platform may contain links, integrations, or connections to websites, applications, and services of third parties.

The use of these services may be subject to their own:

  • terms;
  • contracts;
  • privacy policies;
  • consent mechanisms;
  • operational practices.

This Policy does not control the privacy practices of independent third parties.

19. CHANGES, REGIONAL NOTICES, AND CONTACT

19.1. Changes to this Policy

This Policy may be updated to reflect:

  • changes in the Platform;
  • new features;
  • operational changes;
  • new risks;
  • technological evolution;
  • regulatory changes;
  • changes in the organization of the relationships of the Noviuz Ecosystem.

19.2. Versioning

Each version will be identified by:

  • number or identifier;
  • effective date;
  • date of the last update.

19.3. Material changes

When appropriate to the context, material changes may be communicated by:

  • email;
  • Interface;
  • notice on the website;
  • Operator communication;
  • other reasonably suitable means.

19.4. Regional supplements

Regional supplements may be made available when necessary to meet specific requirements of a specific jurisdiction.

These supplements may address, for example:

  • additional rights;
  • specific legal bases;
  • local representatives;
  • competent authorities;
  • international transfer rules;
  • specific rules on cookies;
  • special categories of data;
  • mandatory information.

When applicable, the regional supplement shall prevail exclusively regarding the mandatory matters of the jurisdiction it regulates.

19.5. Contact about privacy

Requests, questions, and demands related to privacy may be directed to:

privacy@noviuz.com

Security reports:

security@noviuz.com

General legal questions:

legal@noviuz.com

When another Relevant Provider, Operator, or Service Provider is responsible for a specific treatment, their contact details may be made available:

  • na Interface;
  • no momento da coleta;
  • no contrato;
  • no fluxo do serviço;
  • em aviso específico.

The Data Subject should, whenever possible, direct their request to the participant identified as responsible for the relevant processing.

Back to home
Noviuz
Wealth sovereignty.
By design.

Infrastructure to structure, govern, and preserve wealth on a global scale.

Noviuz exists to transform wealth rights into architectures of control, continuity, and freedom.

NVI / INSTITUTIONAL CLOSE
Noviuz
  • Platform
  • Governance
  • Partners
  • Company
  • Contact
Legal
  • Privacy
  • Terms of use
  • Compliance
  • Legal notices

Noviuz acts as a governance, custody, and operations infrastructure for qualified partners. Legal, tax, financial, or regulatory structuring depends on individual analysis and qualified professionals.

© 2026 Noviuz. All rights reserved.