PRIVACY POLICY

1. Definitions

1.1. This document was written in a simple and accessible way, with several examples of collection and use of Personal Data, precisely so that the User can read and understand how we use their Personal Data to offer them a safe and comfortable experience while using the services.

1.2. We have systematized the definition of some key terms used in this Policy. In this sense, the words below, when used in the singular or plural, will have the following meanings, without prejudice to other definitions attributed in this Policy and in the Terms of Use:

2. General Information and Acceptance

2.1. This Privacy Policy was prepared in accordance with Federal Law No. 12,965 of April 23, 2014 (Civil Rights Framework for the Internet), Federal Law No. 13,709 of August 14, 2018 (Personal Data Protection Law) and EU Regulation No. 2016/679 of April 27, 2016 (European General Data Protection Regulation – GDPR), and is an integral part of the Terms of Use of the ONDA FINANCE Platform and services, which is why, if the User chooses to use our services, he agrees to the collection and use of information in accordance with this Policy.

2.2. Please read this Privacy and Personal Data Protection Policy, the Terms of Use, the AML Policy and the Cookies Policy carefully if you are interested in any of our products and wish to use the Platform. Please note that you may only use our Platform and services if you agree with the respective conditions, and by doing so, you will fully agree to the content of these documents.

2.3. Likewise, if you are our employee, collaborator, service provider or maintain any other type of relationship with ONDA FINANCE, we ask that you also read this Privacy and Personal Data Protection Policy carefully. Please note that you may only start this relationship if you agree with this Policy, and by establishing any relationship with ONDA FINANCE, you fully agree with the content of this document. We appreciate your commitment to understanding and respecting the guidelines established to ensure the protection of your personal data.

2.4. Individuals representing legal entities, when not expressly indicated in the articles of incorporation in force, may have their authorization to access the Platform conditioned to the provision of a valid power of attorney granted by the legal entities they represent. This measure is adopted to ensure security and compliance in the use of the Platform, ensuring that only authorized people have access to the resources and information available. Therefore, it is necessary to provide a power of attorney to prove the legitimacy of the representation and enable access to the Platform.

2.5. ONDA FINANCE may establish specific rules applicable to certain products, when necessary, which will complement and prevail over this Privacy and Personal Data Protection Policy and the Terms of Use. Regardless of the case, you must accept the applicable terms and conditions before using these specific products. This measure aims to ensure that the particularities of each product are properly addressed and that you are aware of and agree to the specific rules related to their use.

2.6. This Policy was prepared in accordance with Laws No. 13,709/2018 ("General Data Protection Law") and No. 12,965/2014 ("Civil Rights Framework for the Internet"), with the purpose of clarifying the following aspects to you:

• (i) What personal data is collected, how it is processed and for what purposes;
• (ii) What are your rights, in accordance with the legislation and rules applicable to the protection of personal data; and
• (iii) What are our obligations in relation to the protection of personal data? This policy covers all of our interactions, both offline and online, as well as all activities and services we provide.

2.7. However, it is important to note that this Policy does not cover the practices of other organizations referenced through links on our Platform. We suggest that when accessing such links, you check the privacy policies and terms of use of third parties, as we have no control over the privacy practices of these organizations.

2.8. To facilitate your reading and navigation, we have divided this Policy into several subjects, each with its own link. We recommend that you read all the topics to fully understand our approach to data protection. However, for your convenience, if you want to revisit a specific topic, just click on the topic of interest and you will be directed to the respective page related to that subject.

2.9. This document has been written in a simple and accessible way, with several examples of collection and use of personal data, so that the User can easily read and understand how we use their information to offer a safe and comfortable experience while using our services. Our goal is to provide transparency on how we treat our customers' personal data, thus ensuring the trust and well-being of all Users.

2.10. By using any type of Service provided by, or on behalf of, ONDA FINANCE, the User expressly declares his/her consent to the collection, use, access, reproduction, processing, storage, elimination, communication and transfer of commercial and, eventually, personal data that are provided to ONDA FINANCE, within the limits of this Privacy Policy.

2.11. If the User does not accept or does not agree with this Privacy Policy, unfortunately it will not be possible to use the services provided by ONDA FINANCE, as these will remain unfeasible, given the need to use the data provided for the execution of the Platform and other services.

2.12. This Privacy Policy may be updated because of any regulatory update, which is why the User is invited to periodically consult this section.

3. Who is ONDA FINANCE?

3.1. ONDA FINANCE LTDA is a financial services company that offers innovative solutions in various areas, such as bank accounts, cryptocurrency operations, credit cards, and international payments.

3.2. Our services include opening digital accounts for individuals and businesses, supporting multi-currency transactions, integrating with cryptocurrency platforms, and facilitating cross-border payments. ONDA FINANCE aims to provide simplified and secure access to global financial products, using advanced technology to optimize its clients' financial operations.

3.3. Our platform was developed with cutting-edge technology to ensure a safe and efficient environment for buying and selling digital assets. We offer advanced trading tools, dedicated support, and an intuitive interface, facilitating the User experience from registration to transaction completion.

3.4. Security is a priority for ONDA FINANCE. We have implemented stringent cybersecurity and regulatory compliance measures to protect our customers' data and assets. Our commitment to transparency and integrity includes adhering to industry best practices and complying with legal requirements, such as the General Data Protection Law (Law No. 13,709/2018).

4. Data Processed by the Company

4.1. Personal data is understood to be all information related to a natural person, capable of identifying him or her or making him identifiable. This includes the information provided by the User, information collected automatically about the User and information obtained by third parties.

I – INFORMATION PROVIDED BY THE USER

4.2. In order to create an account and access our services, we ask you to provide us with information about yourself. This information may be required by law (e.g., to verify your identity and comply with our Know Your Customer ("KYC") obligations), or it is essential for us to provide you with the services you request (e.g., your email address to open your account), and it may be relevant for specific purposes, as described below. As we add new services and features, we may request additional information.

4.3. It is important to note that, without the required information, ONDA FINANCE will not be able to offer its services to you.

4.4. We may collect the following categories of information:

II – INFORMATION COLLECTED AUTOMATICALLY

4.5. To the extent permitted by applicable law, we may collect certain types of information automatically, especially when you interact with us or use our Services. This information helps us resolve customer support issues, improve the performance of our Platform and Services, maintain and/or enhance the User experience, and protect your account from fraud by detecting unauthorized access.

4.6. Information collected automatically includes:

4.7. In addition to the above information, the use of the Application may imply the collection of additional technical data, such as device identifier, operating system, usage events, error logs, approximate location, among others.

III – INFORMATION COLLECTED THROUGH THIRD PARTIES

4.8. In certain circumstances, we may collect information about you from third parties to the extent necessary and permitted by applicable law.

4.9. Sensitive personal data is provided for in article 5, item II of the General Data Protection Law (LGPD), and includes:

• a) Data revealing the User's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
• b) Genetic data;
• c) Biometric data to uniquely identify a person;
• d) Data relating to the User's health;
• e) Data relating to the User's sex life or sexual orientation;

4.10. ONDA FINANCE may collect sensitive personal information when permitted by law or with your consent, such as biometric information to verify your identity by comparing a facial analysis obtained from your selfie or video with the photograph of your national identity document.

4.11. Eventually, other types of data not expressly provided for in this Privacy Policy may be collected, provided that they are provided with the User's consent, or that the collection is permitted or imposed by law.

5. Purpose of the Data Collected

5.1. The main purpose for which we process your personal data is the fulfillment of a contract with you, providing you with the best experience, in a secure, efficient and personalized way.

5.2. In addition, we use the data collected to create, develop, analyze, communicate, operate, deliver, and improve our products, processes, and services, ensuring personalized and complete experiences.

5.3. In addition, we may use the data collected for other legitimate purposes, such as:

• Allow transactions with Crypto assets made available and supported by ONDA FINANCE, create buy and sell orders and generate and allow access to your virtual wallet;
• Continuous improvement of products, processes and services;
• Personalize content and make changes to our products and channels;
• Provide new features, products and promotional dynamics;
• Offer new products and/or services to you, as well as personalized service and monitoring of the investment portfolio;
• Conduct research and campaigns to continuously improve the experience of using ONDA FINANCE by Users;
• Solve problems and doubts, ensuring the quality of our services and care;
• Establish a relevant and assertive dialogue, respecting your interaction preferences, as well as sending important notices;
• Further sophisticate our security by acting effectively on suspicious activity and violations of terms or policies;
• Analyze the performance, trends and measure the audience of the Platform;
• Assess and monitor risks to the security of the Platform, improving and developing our security tools;
• Compliance with legal and regulatory obligations;
• Enable the technical and secure operation of the ONDA FINANCE Application, including biometric authentication, identity verification, QR Code payments, crypto transactions, transactional PIN and push notifications.

5.4. For the purposes of improving the quality of service, training and ensuring security, ONDA FINANCE may monitor or record telephone conversations with you or with people acting on your behalf.

5.5. By communicating with ONDA FINANCE, you understand, agree and authorize that communications may be listened to, monitored and/or recorded, without notice or prior notification.

5.6. By leaving public testimonials, statements, opinions, impressions, comments and suggestions on our Platform, including social networks, you agree and authorize ONDA FINANCE to use, copy, reproduce, make available, transmit, treat, share and translate into other languages such content.

5.7. In addition to the above, ONDA FINANCE, respecting your privacy, sends messages by electronic means, such as the notification center on the Platform itself, emails, SMS and notifications, to confirm activities on the Platform, provide advertising communications and improve services.

5.8. ONDA FINANCE also uses technologies such as cookies, pixel tags, local storage or other identifiers, both on mobile and non-mobile devices, for the purposes of account authentication, service improvement and personalization of the User experience.

5.9. The frequency of sending these communications may vary, according to the User's interaction with the Platform. However, at any time, you may request the interruption of these emails, SMS and notifications through ONDA FINANCE's communication channels, in which case your request will be answered within 10 (ten) days from the date of the request, by accessing:

• a) Notifications on the Platform and SMS, in the "Settings/Preferences/Notifications" menu;
• b) Promotional emails, through the respective unsubscribe link.

5.10. Personal data will be processed by ONDA FINANCE as long as they are necessary or relevant to achieve the purposes established in the Terms of Use and in this Privacy and Personal Data Protection Policy, observing the exceptions provided for in the applicable legislation.

6. Data Storage Time

6.1. To determine the appropriate retention period for the storage of Personal Data, we consider the amount, nature and sensitivity of Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purpose of the Processing, and whether we can achieve such purposes through other means, subject to applicable legal requirements.

6.2. ONDA FINANCE will store your personal data only for the time necessary to achieve the purposes for which it was collected, including compliance with legal or contractual obligations, accountability or requests from competent authorities.

6.2.1. The minimum retention period will be five (5) years from the date of data collection, in accordance with the guidelines established in Circular No. 3,909 of the Central Bank of Brazil.

6.3. In cases where there is no direct contractual relationship, such as when you sign up to receive content from ONDA FINANCE, the company will keep the information you have agreed to provide until a subsequent request is made for the deletion of your data, in accordance with applicable law.

6.4. If the User requests the deletion of his/her personal data and/or his/her account, ONDA FINANCE and the responsible Partner will delete it or make it anonymous after the end of the legal term of 05 (five) years mentioned above, unless its maintenance is necessary due to legal obligations or requests from competent authorities.

6.5. For registration purposes in the database, the information of inactive registrations or transactions carried out will be kept in the platform's backup for up to 05 (five) years from the date of registration.

6.6. Confirmation of the existence of or access to personal data will be provided upon request by the Data Subject, in simplified format or by clear and complete statement, within fifteen (15) days.

6.7. Every natural person is assured the ownership of their personal data and guarantees the fundamental rights of freedom, intimacy and privacy.

6.8. The Holder of the personal data has the right to obtain from the Controller, in relation to the data processed by him/her, at any time and upon request:

• a) Confirmation of the existence of processing;
• b) Access to data;
• c) Correction of incomplete, inaccurate or outdated data;
• d) Anonymization, blocking or deletion of unnecessary, excessive or processed data in non-compliance with the General Data Protection Law;
• e) Portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority;
• f) Deletion of personal data processed with the consent of the data subject;
• g) Information on the public and private entities with which the controller has shared data;
• h) Information about the possibility of not providing consent and the consequences of refusal;
• i) Revocation of consent.

7. Data Processing

7.1. ONDA FINANCE preserves the following principles in its personal data processing operations:

• a) Data minimization: process only personal data necessary and compatible with the informed purposes;
• b) Transparency: holders must know the type of data, purpose and retention period;
• c) Confidentiality: organizational and technical measures with access control and log tracking;
• d) Prevention and security: periodic risk assessment, anonymization or pseudonymization whenever possible;
• e) Free access and data quality: guarantee easy and free access to clear, accurate and up-to-date data;
• f) Non-discrimination: processing is done lawfully, without discrimination;
• g) Relationship with third parties: contracts must contain data protection clauses;
• h) Accountability: adoption of measures capable of proving compliance with data protection rules.

7.2. All personal information is stored in a secure environment, both in the cloud and on selected physical servers, in compliance with data protection legislation.

8. Sharing Data with Third Parties

8.1. ONDA FINANCE and the Partner may work together with other companies to carry out various activities, including the assessment of the User's financial capacity.

8.2. In this way, ONDA FINANCE and the Partner reserve the right to share the User's Personal Data with third parties, to receive, analyze and make decisions about requests related to the services. Such sharing may include Personal Data relating to the User's financial situation and, whenever possible, the sharing will be pseudonymized.

8.3. The User is informed that their Personal Data will be shared among us, and must be kept, for the purposes of complying with rules for the identification of Users and the prevention of money laundering.

8.4. ONDA FINANCE may share your personal data with Partners to provide services, execute the contract with you, credit analysis and fraud prevention, and to implement Compliance, KYC, AML and CFT policies.

8.5. ONDA FINANCE may also share your personal data with public authorities, in accordance with applicable legislation, including international transfers permitted by the LGPD.

8.6. In the context of the Application, ONDA FINANCE may share Personal Data with technology providers, such as biometric authentication, identity verification (KYC) providers, secure storage systems and push notification services.

8.7. WITHOUT PREJUDICE TO THE PROVISIONS OF APPLICABLE BRAZILIAN LAWS, ONDA FINANCE AND THE PARTNER RESERVE THE RIGHT TO ACCESS, READ, PRESERVE AND DISCLOSE ANY PERSONAL DATA NECESSARY TO COMPLY WITH LEGAL OBLIGATIONS OR COURT ORDERS, ENFORCE OR APPLY THE TERMS OF USE, OR PROTECT THE RIGHTS, PROPERTY OR SECURITY OF ONDA FINANCE, THE PARTNER AND THEIR REPRESENTATIVES, SERVICE PROVIDERS, COLLABORATORS OR USERS.

9. International Data Transfer

9.1. ONDA FINANCE strictly adheres to the standards for international transfer of personal data and ensures that its technological service providers follow the company's guidelines for protecting this data.

9.2. We may transfer your personal data to our affiliates, third-party partners, and service providers based around the world. When we do so, we implement appropriate safeguards (including Standardized Contractual Clauses) to ensure compliance with applicable data protection regulations.

10. Rights and Duties of Users

10.1. The User may always choose not to disclose their personal data to ONDA FINANCE and its Partners. However, some of this data may be essential for registration, access and use of the services.

10.2. The User will always have rights regarding the privacy and protection of their personal data. ONDA FINANCE strives to ensure that the User has access to and knowledge of all their rights.

10.3. ONDA FINANCE complies with the LGPD, the Civil Rights Framework for the Internet and other Brazilian laws to guarantee the following rights:

• a) Right to information;
• b) Right of access;
• c) Right to rectification;
• d) Right to deletion;
• e) Right to portability;
• f) Right to object;
• g) Right to restriction of processing;
• h) Right not to be subjected to automated decisions;
• i) Right to revoke consent;
• j) Right to anonymization or blocking;
• k) Right not to provide consent and to be informed of consequences;
• l) Right to petition before the Government.

10.4. Requests may be sent via official service channels and will have no cost.

10.5. We may request documents to confirm identity.

10.6. Confirmations of processing and immediate access will be provided within fifteen (15) days; other requests within up to 30 days, extendable in complex cases.

10.7. Questions can be sent through the service channels.

10.8. In addition to rights, there are duties related to security and confidentiality of access data.

10.9. If these duties are not observed, ONDA FINANCE will not be responsible for resulting acts.

11. Use of Cookies and Similar Technologies

11.1. Cookies, DMP and similar technologies are essential for identifying customers, communication, marketing actions, and protection of collected data.

11.2. ONDA FINANCE uses its own cookies for control, monitoring and tracking of vulnerabilities, risks of incidents and security incidents.

11.3. Own cookies cannot be disabled. Third-party cookies can be disabled, but this may limit functionalities.

11.4. Disabling cookies may affect availability and remove saved preferences.

11.5. ONDA FINANCE also uses third-party cookies for statistical analysis.

11.6. Cookies used may be:

• a) Session cookies;
• b) Persistent cookies.

11.7. By accessing ONDA FINANCE's channels without disabling these technologies, you authorize their use.

11.8. For more information, see the Cookie Policy.

11.9. In the Application, similar technologies (SDKs, tokens, pixels, push) may be used.

12. Security Policies Adopted

12.1. ONDA FINANCE adopts organizational, governance and technical measures to ensure security of personal data.

12.2. Access control and log tracking mechanisms are used, with different levels of restriction.

12.3. Strict technological and procedural controls are applied.

12.4. Practices include authentication, access control, encryption, intrusion prevention, vulnerability scans, malware protection, traceability, backup.

12.5. In the Application, additional security measures will be adopted, such as biometric authentication, 2FA and transactional PIN.

12.6. Unauthorized access may still occur due to user fault, failures or cyber-attacks.

12.7. The User must behave safely and contact ONDA FINANCE if aware of security issues.

12.8. Good practices include strong passwords, no sharing, periodic changes, 2FA, logging out, keeping systems updated.

12.9. By following these practices, you help maintain a safer environment.

12.10. ONDA FINANCE does not send messages asking for passwords, card numbers or wallet addresses; this may be phishing.

12.11. If third parties access your credentials, follow the Terms of Use procedure. In case of incidents, ONDA FINANCE will notify you and take appropriate measures.

13. Other Information

13.1. This Privacy and Personal Data Protection Policy is governed, based on, interpreted and regulated by Brazilian law, and should be understood in addition to our Information Security Policy and Compliance Policy, as well as our Terms of Use and, when applicable, the respective contracts.

13.2. They are integral and inseparable parts of this Policy, and are considered incorporated by reference: our AML Policy, Compliance Manual, Terms of Use and, when applicable, the respective contracts.

14. Contact Channel for Processing Personal Data

14.1. ONDA FINANCE maintains a specific channel for handling requests related to the protection of personal data, which works as a point of contact between the Data Subjects and the company.

14.2. If the User believes that their personal information has been used in a way that is incompatible with this Policy, with current legislation or with their choices, they may contact us by e-mail atendimento@ondafinance.com.br.

14.3. The User may request, at any time, access, correction, deletion or other measures related to their personal data through the indicated e-mail and will receive a response within a maximum period of 15 (fifteen) days.

14.4. All requests must be forwarded exclusively through the official channels indicated above.

14.5. ONDA FINANCE reinforces its commitment to the protection of personal data and to timely and transparent service to data subjects.

15. Changes to the Policy

15.1. ONDA FINANCE undertakes to periodically revisit this Privacy and Personal Data Protection Policy to ensure its compliance with the legislation and adjust to the guidelines of the ANPD. For these reasons, the terms of this policy may be modified at any time.

15.2. In the event of a material change, such as the introduction of a new purpose for the personal data already provided, you will be notified through the contact information provided by you or by a notice on the platform. Maintaining your account will represent your agreement with the new conditions.

16. Legislation and Jurisdiction

16.1. This Policy is governed by Brazilian law. Unforeseen issues will be initially resolved by ONDA FINANCE and, if necessary, in accordance with Brazilian laws.

16.2. Any dispute or controversy related to the use of the Applications, the non-compliance with the Terms of Use, this Policy, or the violation of the rights of ONDA FINANCE, its enterprises, other users, or third parties, will be resolved in the jurisdiction of the District of the Capital of São Paulo – SP, which is the only competent court for such matters, with waiver of any other jurisdiction.