DATE OF LAST UPDATE: September 18, 2020.

BTG Pactual is committed to protecting and safeguarding your personal data. We would like to explain in more detail how we handle your personal information.

Why does BTG use my personal data?

BTG is committed to always offering the best services, believing in the user’s freedom of choice. Personal data protection involves responsibility and commitment to the security of your data, as well as respect for your privacy and our commitment to you being in control of your personal data.

Your personal information is mainly used to provide the services you have contracted, such as banking and insurance services. To this end, we collect the personal information that you share when you register on our platforms, make financial transactions and contact or interact with us through our products or contact channels.

These are just a few examples of how our services need to use personal data, legitimately and within your expectations. We take the protection of your data very seriously, and this policy describes how it is collected, used, shared and stored. If after reading this Policy you still have doubts, feel free to contact us. For a better understanding of the terms used in this policy, please refer to item 9 - "Basic Concepts".

Contact channel:

Email: sh-privacidade@btgpactual.com

1. How does btg collect your personal data and what types of data are collected?

The types of Personal Data and how BTG collects it depends on how you relate to us and why. For example, the Personal Data collected will be different if you want to invest in the financial market, take out insurance or open a checking account.

To find out more about these types of data and their respective purposes, please consult our Personal Data Table provided below, in order to identify how your data is handled by us.

If you have any doubts about how, when and why we use Personal Data, feel free to contact us through the channels available in this Policy.

Source Type of Data Collected Purpose Legal Basis
Platform Navigation

Navigation data: data collect-ed through cookies or device IDs, including IP, date and time of access, geographic location, browser type, dura-tion of visit and pages viewed.

Access records: we have a legal duty to store some of your information (such as your IP, date and time of access) to eventually provide it to legal authorities. Compliance with legal obligation
Access device data: model, manufacturer, operating sys-tem, unique identifier, tele-phone operator, screen reso-lution, browser type and con-nection speed. Cookies: to activate essential functions, such as antivirus software, display content, generate statistical information to improve the Platform and enable personalized adver-tising. For more information, please see item 2 of this Policy. Legitimate interest
Forms

Registration data: name, e-mail, telephone, gender, home address.

Contact Us: we request some of your regis-tration details (such as name and e-mail or phone number) so that you can contact our support team. Consent
Profile data: interests, hob-bies, consumption habits. Newsletter and other communications: we use registration data to send informational content or advertising about the Services and Products we offer and may interest you. We rely on profile data to target advertising tailored to your interests. Legitimate interest and consent
Use of the Platform

Registration data: name, e-mail, telephone, gender, home address or geolocation, CPF, identification document, date of birth.

Financial data: average monthly income.

Biometric data: facial recognition.

Registration: to allow you to register and use our Services and Products, such as your checking account. Some of the information is required by public authorities, and some is required to ensure the security of your account. Execution of contract and compliance with legal obligation
Credit analysis and protection: to prevent fraud such as, for example, falsehood. During the process, we can consult public sources to enrich the database. Credit protection and consent
Insurance services Registration data: full name, phone number, e-mail, CPF, identification document or driver’s license, full address. Pervice provision: depending on the type of insurance you have taken out, we need specific information to provide you certain services, such as issuing policies, claims, or simply to formalize contracts. Contract execution
Kenoby (application platform)

Registration data: full name, e-mail, password, date of birth, gender, phone number, country, city, state.

Professional data: professional experience, company and position held, education and languages.

Sensitive Data: ethnicity and disabilities.

Work with us: we use the Kenoby platform on our website (see here) so you can apply for job opportunities currently available.

Consent

In specific situations, we may collect additional information, including Sensitive Data. In the case of persons under conservatorship or people with disabilities, for example, we may collect information that proves these condi-tions so that we can offer more personalized and accessible Products and Services. Or in the case of contracting life insurance, health data is collected to allow the adequate provision of the service.

We do not intend to directly collect Personal Data from children or young persons, except with the specific and prominent consent of parents or legal guardians.

2. Cookies: what are they and how does btg use them?

Cookies are small text files stored on your browser or device. Cookies allow us to remember your preferences in order to adapt our website to your specific requirements.

Cookies usually have an expiration date. Some cookies are automatically deleted when you close your browser (session cookies), while others can be stored on your computer for longer, until you delete them manually (persistent cookies). BTG uses the following types of cookies:

  • strictly necessary cookies, which allow our website to function properly, such as logins with authentication. It is not possible to reject these cookies if you want to access the website;
  • canalysis cookies, to improve the content of the website, providing information about how it is being used in order to enhance your user experience. These cookies automatically collect certain Personal Data to identify, for example, how often a particular page was visited;
  • cfunctionality cookies, to record data previously provided, such as your login information, in order to improve the browsing experience; and
  • marketing cookies, which enable us to provide the best offers of Products and Services to the user, according to their interests.

It is important to clarify that BTG is not responsible for third-party cookies. Please note that cookies placed by third parties may eventually continue to track your online activities even after you leave our website, therefore, it is recommended that you delete them manually.

If you want to delete the cookies installed on your computer, you can do so manually using the settings available in your browser, following the instructions on Google Chrome, Mozilla Firefox, Microsoft Edge or Safari. It should be noted, however, that some of the website’s features may become unavailable after the deletion of certain cookies.

3. Who does btg share your personal data with?

Sometimes, we need to share your Personal Data with third parties who provide services on our behalf. This is the case, for example, with database hosting and audit services. Below we describe some situations in which BTG may share your Personal Data:

Our suppliers. We rely on the help of suppliers who can process the Personal Data we collect. We always seek to carefully evaluate our suppliers and enter into contractual obligations for the protection of Personal Data and information security in order to minimize risks for Data Subjects. These suppliers include, for example, compa-nies with public databases hired to assist us in credit analysis for when you open an account or approval of credit operations.

Analytics. The data stored by BTG may be used for statistical reporting (analytics), so we can understand who visits our website and consumes our Products and Services. These data are pseudonymized and the Personal Data is not related to an identified or identifiable person, and are only used to better understand how people ac-cess the BTG Digital Platform, in order to improve the provision of services and products, tailored to their interests.

Public Authorities. We have to comply with the law. Therefore, if legal authorities, such as BACEN, CVM or Pro-con, require BTG to share certain Personal Data in order, for example, to comply with regulatory requirements, we will need to share this information. We are against any abuse of power and, if BTG understands that a particular order is abusive, we will always ensure your privacy is prioritized.

Protection of rights. Additionally, we reserve the right to share any Personal Data that we believe is necessary to comply with a legal obligation, apply our Terms of Use, or even protect the rights of BTG, our employees and customers.

Affiliates. If, for example, you are interested in our insurance or brokerage services, we may share your Personal Data with our Affiliates or other companies or trusted persons to handle such information for this purpose or other legitimate interests. This process is always carried out in accordance with our instructions, pursuant to our Privacy Policy and all other appropriate security and confidentiality measures.

We are committed to protecting your Personal Data, but unfortunately we cannot ensure the appropriate use of this Personal Data by third parties, who process, disclose and protect Personal Data in accordance with their respective Privacy Policies.

If you have any doubts about who these companies or our suppliers are, feel free to contact us through the channels available in this Policy.

    4. Does BTG transfer personal data to other countries?

    As mentioned in the item above, we may share your personal information with BTG employees, representatives and affiliated companies or partners based outside your country of residence, in order to provide our services to you. We may, for example, transfer your Personal Data to the company responsible for hosting our databases, whose head-quarters are located abroad.

    These transfers only involve companies that demonstrate compliance with applicable data protection laws, and main-tain a similar or stricter level of compliance than the provisions of Brazilian legislation. In addition, the Data transferred may only be processed, in accordance with this Policy and BTG’s corporate rules, for the provision of our services or fulfillment of the company’s objective.

    If you have any doubts about who these companies are, feel free to contact us through the channels available in this Policy.

    5. What are your rights as a personal data holder?

    Personal Data is yours and Brazilian law guarantees a series of rights related to it. We are committed to the ob-servance of these rights and, in this section, we explain how you can exercise them with BTG. Brazilian law guaran-tees you the following rights:


    Confirmation and Access It allows you to check whether BTG collects your Personal Data and, if so, to request a copy of the Personal Data that we have about you.
    Rectification It allows you to request the rectification of any incomplete, inaccurate or outdated personal data.
    Anonymization, blocking or deletion It allows you to ask us to (a) anonymize your data, so that it can no longer be associated with you and therefore is no longer Personal Data; (b) block your Data, temporarily suspending our ability to process it; and (c) delete your Data, in which case we will delete all your Data without the possibility of reversal, except in cases provided by law.
    Portability You have the right to request that BTG provide you, or a third party of your choice, your Personal Data in a structured and interoperable format, to be transferred to another service or product provider, as long as it does not violate the Company’s intellectual property or trade secrets.
    Sharing information You have the right to know the public and private entities with which BTG shares data. This Policy includes a list of the types of partners with which we share the Data, which we will keep updated. In any case, if you have questions or want further details, you have the right to ask us for this information.
    Information about the possibility to refuse consent It allows you to have clear and complete information about the possibility and consequences of not providing consent. Your consent, when necessary, must be freely given and informed. Therefore, whenever we ask for your consent, you are free to refuse it - even though, in such cases, we may have to limit our Services.
    Withdrawal of consent You have the right to withdraw your consent to process your personal data for activities that you previously consented to. However, this will not affect the legality of any process previously carried out. If you withdraw your consent, we may not be able to provide certain Services, in which case we will inform you of this condition.
    Opposition The law authorizes the processing of Personal Data even without your consent. If you do not agree with this processing, in some cases, you can oppose it by requesting an interruption.

    WHENEVER YOU EXERCISE YOUR RIGHTS, BTG MAY REQUEST SOME ADDITIONAL INFORMATION IN ORDER TO CONFIRM YOUR IDENTITY, SEEKING TO PREVENT FRAUD. THIS WAY, WE ENSURE THE SECURITY AND PRIVACY OF USERS OF OUR PLATFORM AND OF THOSE WHO CONTACTED US BY E-MAIL OR PHONE, FOR EXAMPLE. HOWEVER, BTG MAY NOT RESPOND TO SOME COMPLEX REQUESTS IMMEDIATELY, BUT WE ARE COMMITTED TO RESPONDING TO ALL REQUIREMENTS WITHIN A REASONABLE PERIOD AND ALWAYS IN COMPLIANCE WITH APPLICABLE LAW.

    If you have any doubts about these issues or how you can exercise these rights, feel free to contact us through the channels available in this Policy.

    6. How long will personal data be stored?

    Your Personal Data is stored only for as long as it takes to fulfill the purposes for which it was collected, except for other reasons such as compliance with any legal, regulatory and contractual obligations, among others, provided that they have a Legal Basis. For example, we must store data related to financial transactions carried out in the National Financial System for a period of ten (10) years, as established by the Central Bank.

    It is important to note that, whenever possible, we will consider your right to request the deletion or interruption of data processing, as described in item 5 above.

    7. What are our responsibilities and how do we protect your personal data?

    We are responsible for processing your Personal Data and use it for lawful purposes, as described in this Policy. And, in order to ensure your privacy and the protection of your Personal Data, we adopt the appropriate security prac-tices for our market, including:

    • encryption and two-factor authentication systems in our Platforms environments;
    • training and awareness policies to keep our employees up to date on how to avoid risks to the Data Subject and identify threats and malicious activities;
    • controls and access privileges to Personal Data, so that employees can only access data strictly necessary for the performance of their duties; and
    • control and monitoring to prevent security incidents, including data leakage, carried out by our Information Security team and by automated security tools recognized by the market.

    We work to protect your Personal Data, but unfortunately we cannot guarantee complete security. Unauthorized or third-party access to your account, hardware or software failure that is not under the control of BTG and other factors can compromise the security of your Personal Data. For this reason, your actions are fundamental for the mainte-nance of a safe environment for all. You can help us by adopting good security practices in relation to your data (for example, not sharing passwords with third parties), and if you identify or become aware of something that undermines the security of your data, please contact us through our Data Protection Officer, whose contact channels are below.

    8. How to contact btg about your personal data?

    If you believe that your Personal Data has been used in a way which conflicts with this Privacy Policy or with your choices as the Personal Data Holder, or if you have any questions, comments or suggestions related to this Policy, please contact our Data Protection Officer (DPO) through the following:

    Data Protection Officer (DPO): Reinaldo Nogueira
    Mailing address: Praia de Botafogo, 501/5 andar - Rio de Janeiro - RJ - 22250-040
    E-mail: sh-privacidade@btgpactual.com

    9. Basic concepts: what do i need to know to understand this policy?

    In order to make your reading easier, below are some useful definitions:

    Term Concept
    LGPD The LGPD is the Brazilian Personal Data Protection Law. The law imposes new protection rules and principles for companies to handle the personal information of individuals, including you. The purpose of the law is to ensure you more privacy, freedom, transparency and control in relation to your personal data used by third parties.
    Personal Data Any information related to an identified or identifiable individual, within a certain context. Some examples of personal data are: Name, RG (identity card), CPF (taxpayer identification number), address, cell phone, e-mail, IP address etc.
    Sensitive Data Any information about an individual’s race or ethnicity, religious beliefs, political opinion, trade union membership, affiliation with any organization of a religious, philosophical or political nature, data relating to health or sex life and genetic or biometric data.
    Handling of data These are the ways Personal Data is handled by BTG, including, but not limited to, the following activities: collection, storage, consultation, use, sharing, classification, reproduction, processing and assessment.

    Legal Basis

    It is the legal hypotheses that authorize BTG to process Personal Data: given consent or the fulfillment of a legal obligation, for example.

    Consent

    The hypothesis that authorizes the processing of Personal Data based on the free, informed and unequivocal manifestation of the Data Subject when agreeing with the handling of Personal Data for a specific purpose, as informed by BTG.
    Legitimate Interest It is a Legal Basis, as defined above. It authorizes the processing of your data (even without your consent), whenever the use of such data is necessary for the purposes of the legitimate interests pursued by BTG or by a third party.
    For example, marketing cookies may collect your Personal Data to offer you advertising tailored to your interests. The Law establishes that interests are only legitimate if your data is used in compliance with Brazilian regulations, and as long as there is effective transparency of such uses and your rights are respected.
    BTG BANCO BTG PACTUAL S.A., financial institution headquartered at Praia de Botafogo, No. 501, 5 andar, parte, in the city and state of Rio de Janeiro, enrolled under corporate taxpayer ID (CNPJ/ME) No. 30.306.294/0001-45.
    Data Subject You: the individual to whom the Personal Data is related, being either a customer or user of our Platform.
    Platform or Platforms BTG’s websites and applications.
    Products and Services All the services and products offered by BTG, focused on the financial and banking markets, such as insurance, pension plans, brokerage, current accounts.
    Policy

    BTG’s Privacy Policy.

    10. Changes in privacy policy

    We are always working to improve our Platforms and Services, and consequently, this Privacy Policy may be amend-ed in order to reflect the improvements made. Therefore, we recommend that you visit this page periodically so that you are aware of any changes. If relevant changes are made, we will notify you.