Last updated on August 1, 2025

1. Introduction

1.1. Welcome to Mippo. Your privacy and the protection of your personal data are our priorities. This Policy applies to all users, clients, potential clients, partners, service providers, employees, and visitors who use or interact with our Platform and service channels.

1.2. By using our services, you acknowledge and agree to this Policy, as well as to the Terms of Use, the Compliance Policy, and the Information Security Policy, which complement and govern our activity.

1.3. This Policy has been prepared in accordance with the Brazilian General Data Protection Law (Law No. 13.709/2018 – LGPD), the Brazilian Internet Civil Framework (Law No. 12.965/2014), the European Union General Data Protection Regulation (GDPR), and other national and international standards applicable to Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT).

2. Who we are

2.1. We are Mippo Instituição de Pagamento LTDA, registered under CNPJ nº 41.639.546/0001-74, headquartered at Rua Gomes de Carvalho 1629, Vila Olímpia - São Paulo SP, 04547-006.

2.2. We operate as an OTC (Over the Counter) desk for stablecoins, facilitating digital asset transactions in compliance with applicable regulations, adopting strict standards of compliance, KYC (Know Your Customer), KYB (Know Your Business), and AML (Anti-Money Laundering).

3. What data we process

3.1. Personal data provided by the data subject: Full name, CPF, RG or passport; Address, email, and phone number; Bank details, PIX keys, digital wallet addresses; Proof of income and residence; Professional information and source of funds.

3.2. Sensitive data (when required): Facial biometrics (selfie, liveness video, document comparison); Identity verification data from public and private sources; Financial and transactional profile data for suitability and compliance purposes.

3.3. Automatically collected data: IP address, approximate geolocation; Device identifiers, operating system, internet provider; Access logs with date, time, and session duration.

4. Purposes of data processing

4.1. Mippo uses personal data for the following purposes:

a) To execute OTC stablecoin trading services;

b) To comply with legal and regulatory obligations (BACEN, COAF, Receita Federal, ANPD, and international equivalents);

c) To carry out identification, authentication, and fraud prevention processes;

d) To monitor suspicious transactions and comply with AML/CFT policies;

e) To continuously improve the security, efficiency, and usability of the Platform;

f) To send operational, security, and customer service communications;

g) To respond to administrative, judicial, or arbitration demands.

4.2. Without such data, Mippo will not be able to properly provide its services, as collection and verification are legal and regulatory requirements.

5. Users’ rights and obligations

5.1. Under LGPD and GDPR, data subjects have the right to: Confirmation of processing; Access to data; Correction of inaccurate data; Deletion, blocking, or anonymization of unnecessary or unlawfully processed data; Data portability; Information about data sharing with third parties; Withdrawal of consent, where applicable.

5.2. Rights may be exercised through the channel caio@orbifi.ai, subject to identity verification.

5.3. Users also have obligations, such as keeping their credentials secure, not sharing login and password with third parties, and using updated and secure devices.

6. Cookies and similar technologies

6.1. We use cookies and similar technologies to: Ensure security and authentication; Improve user experience; Perform statistical analyses of Platform usage; Personalize communications and services.

6.2. Users may configure their browsers to block third-party cookies, understanding that some functionalities may be limited.

7. Data retention

7.1. Personal data will be stored: For the duration of the contractual relationship; For a minimum of 5 years after termination of the relationship, in accordance with BACEN, COAF, and Receita Federal rules; Up to 10 years, when required by the Brazilian Civil Code (art. 205).

8. Data sharing

8.1. Data may be shared with: National and international public authorities (BACEN, COAF, Receita Federal, ANPD, among others); Providers of KYC, AML, risk analysis, and anti-fraud services; Financial institutions and payment service providers involved in settlements; Technological partners (cloud, security, infrastructure providers).

8.2. International data transfers will respect appropriate safeguards (standard contractual clauses, adequacy decisions, or explicit consent from the data subject, where applicable).

9. How we handle data

Data minimization: we process only strictly necessary data;

Transparency: we clearly inform purposes;

Security: we apply encryption, multi-factor authentication, and access controls;

Confidentiality: restricted access only to authorized personnel;

Governance: periodic review of compliance and privacy practices.

10. Information security

10.1. We adopt adequate technical and administrative measures: Encryption at rest and in transit; Continuous monitoring against unauthorized access; Firewalls, corporate antivirus, and periodic security tests; Logging and tracking; Internal confidentiality policies with employees and partners.

10.2. Users must follow good security practices (strong passwords, 2FA, logout from public devices).

10.3. In the event of a security incident that may cause risk or relevant damage, we will notify the data subject and the ANPD within the legal timeframe.

11. Policy changes

11.1. This Policy may be updated periodically, especially due to new laws, regulatory standards, or service improvements.

11.2. Relevant changes will be communicated by email or notice on our Platform.

12. Contact and DPO

12.1. For questions, requests, or complaints, please contact: caio@orbifi.ai.

12.2. Our Data Protection Officer (DPO) is Caio Soares, responsible for ensuring compliance with LGPD, GDPR, and other applicable regulations.