Privacy Policy

1. Who We Are

1.1 Bullet is owned by BULLET PAYMENTS AND FINANCIAL SERVICES LTD., a limited liability company headquartered in Vancouver, British Columbia, Canada, at 578-2912 WEST BROADWAY, Postal Code V6K0E9, registered under number BC1506717. The platform operates exclusively at https://bullet.cash with MSB Registration: C100000796 (FINTRAC, Canada).

1.2 Bullet may amend this Privacy Policy at any time. Changes will be communicated via email or app notice. Continued use after modifications indicates acceptance of updated terms.

1.3 Data Protection Officer: Victor Araujo ([email protected]). The DPO ensures PIPEDA and LGPD compliance, manages privacy inquiries, communicates with regulatory bodies, and advises on data protection practices.

2. How Does Registration on Bullet Work?

2.1 Bullet collects necessary personal data to provide services and meet legal obligations. Registration and service use authorizes data processing per this Privacy Policy.

2.2 Users must be at least 18 years old. Minor registrations result in data deletion and account cancellation.

3. What Personal Data Is Collected?

3.1 Bullet collects information in various circumstances:

(a) Basic Registration Data:

• Full name
• Tax identification number (CPF/SIN)
• Email address
• Phone number
• Date of birth
• Full address

(b) Additional Data for Regulatory Compliance:

• Driver's license, ID card, or identification document copies
• Proof of address
• User photo (selfie)
• Proof of income and tax returns
• Other documents required by authorities

(c) Financial Transaction Data:

• Proof of financial institution relationship
• Financial institution, branch, and account identification
• PIX transfer keys
• Data necessary for transactions

(d) Promotional Data:

• Platform nickname for exclusive promotions

3.2 Bullet is not responsible for accuracy, truthfulness, or currency of provided information but commits to correction upon request as required by law.

3.3 This policy does not apply to third-party partner websites. Users should review their privacy policies before sharing data.

4. What Technical Data Is Collected?

4.1 Users authorize collection of technical information:

• Access IP address
• Access time and date/time of access
• Device type
• Pages visited
• Language used
• Location
• Roaming tracking
• Software crash reports
• Browser type

4.2 Bullet uses anonymized data for statistics, research, surveys, risk management, and fraud detection/prevention per applicable terms.

4.3 Users may authorize or decline marketing data use at registration with free, informed, unequivocal consent. Users may opt out anytime by contacting Bullet.

4.4 Bullet uses user preferences to notify about potentially interesting services.

5. Purpose of Data Processing

5.1 Personal data enables service operation and provision, legal compliance, consent-based processing, and legitimate interest fulfillment.

5.2 Legal Bases for Data Processing

Per LGPD (Art. 7) and PIPEDA, processing occurs under:

(a) Performance of a Contract (Art. 7, V LGPD)

• Financial transaction processing
• Account management
• Service provision
• Billing

(b) Compliance with Legal or Regulatory Obligation (Art. 7, II LGPD)

• FINTRAC, Central Bank of Brazil, COAF compliance
• Identity verification (KYC)
• Anti-money laundering/counter-terrorism financing (AML/CTF)
• 5-year record retention
• Court order compliance

(c) Legitimate Interest (Art. 7, IX LGPD)

• Fraud prevention and detection
• System and transaction security
• Risk analysis
• Service improvement

(Users may object to this processing)

(d) Consent (Art. 7, I LGPD)

• Marketing communications
• Non-essential partner sharing
• Non-essential cookies

(Users may withdraw consent anytime)

5.3 When processing purposes change incompatibly with original consent, users receive advance notice and may revoke consent.

5.4 Data is used exclusively to:

• Identify and validate data
• Enable financial transactions
• Provide services
• Proper service delivery
• Billing
• Address requests and inquiries
• Verify 18+ age eligibility
• Communicate about relevant services

5.5 Payment and financial transaction data are used exclusively for:

• User experience improvement
• Identity validation and security
• Risk and fraud analysis
• Regulatory compliance including KYC and AML/CTF
• Service delivery

5.6 Certain activities require consent: product/service promotion and third-party service promotion. Users may authorize or decline at registration or anytime thereafter.

5.7 Processing continues until:

• Purpose fulfillment or necessity ends
• Processing period concludes
• User requests termination
• Competent authorities require cessation

5.8 While processing continues, personal data:

• Remains in secure database with controlled access
• Is used exclusively for consented or disclosed purposes
• Complies with legal requirements

6. Sharing of Personal Data

6.1 Bullet shares data with banks and payment service providers to execute financial transactions and maintain records.

6.2 Bullet shares data with regulatory authorities including FINTRAC (Canada), Office of the Privacy Commissioner of Canada, and judicial/law enforcement authorities. As an MSB, transaction reporting and record maintenance are legally mandatory. Third-party data sharing occurs for terms enforcement and legitimate interests.

6.3 Bullet shares personal data with service partners for contracted services:

• Cloud hosting and infrastructure providers
• Identity verification and KYC providers
• Payment processors and financial institutions
• Fraud prevention and security services
• Communication service providers (transactional and, with consent, marketing)

All partners contractually maintain confidentiality and use data only for specified purposes.

6.4 Upon user requests for correction, deletion, anonymization, blocking, or consent withdrawal, Bullet informs partner companies to take requested actions.

7. Data Subject Rights

7.1 As personal data owner, users may request:

• Confirmation of processing existence
• Data access
• Incomplete, inaccurate, or outdated data correction
• Unnecessary, excessive, or unlawfully processed data anonymization, blocking, or deletion
• Personal data transfer to another provider
• Consent-based data deletion
• Information about entities receiving data
• Consent refusal information and consequences
• Consent revocation

7.2 To exercise rights, contact [email protected]

Response Time:

• Brazil Users: 15 calendar days (LGPD Art. 18, §1)
• Canada Users: 30 days (PIPEDA)

Identification Required: Government-issued photo ID protects privacy before processing access, correction, or deletion requests.

Cost: Most requests process cost-free. Extensive or repetitive requests may incur minimal fees with advance notice.

Format of Response: Information provided in comprehensible format (PDF or requested format).

7.3 Some requests cannot be fulfilled. Users receive reasons and relevant contact information. Requests cannot be fulfilled when:

• Data compliance with legal obligation is necessary
• Data necessity for judicial proceedings rights exercise exists
• Professional secrecy protects data
• Deletion impossibility or disproportionate efforts exist (LGPD Art. 18, §3)

7.4 For right exercise or privacy questions/suggestions/complaints, contact [email protected]. Account closure follows data deletion. Communications with users are retained per public authority or competent body requirements, including legal defense.

8. Retention of Personal Information

Bullet retains personal information necessary for fulfillment purposes, legal/regulatory obligation compliance, and judicial/administrative proceeding rights preservation. Retention periods comply with Canadian (PIPEDA, FINTRAC) and Brazilian (LGPD, Central Bank, COAF) laws.

(a) Transaction and Financial Records: Minimum 5 years. Legal Requirement: FINTRAC regulations (Canada) under Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and Brazilian Resolution BCB No. 277/2023, Circular BCB No. 3.978/2020, and Law No. 9.613/1998 (Art. 10, I) require MSBs and financial institutions to retain transaction records, KYC documents, and AML/CTF records minimum 5 years from transaction date or relationship termination.

(b) Account Information: Relationship duration + 5 years. Purpose: Contract performance and legal defense per FINTRAC obligations.

(c) Marketing Consent: Until withdrawal. Following withdrawal, Bullet immediately ceases marketing communications and suppresses contact information.

(d) Security Logs: 12 months. Purpose: Security incident investigations.

(e) Anonymized Data: Indefinitely. Anonymized data is no longer considered personal information under PIPEDA and LGPD (Art. 12).

Secure Destruction: After retention periods end, personal information is permanently destroyed via secure deletion or physical destruction unless longer retention is legally required.

9. Security Measures to Protect the User

9.1 Bullet implements appropriate technical and organizational measures for maximum personal data protection. Industry-standard security measures protect information in secure, confidential database.

Technical Measures:

• Multi-factor authentication for administrative access
• Role-based access control
• Firewalls, intrusion detection/prevention systems
• 24/7 monitoring

Organizational Measures:

• All employees and contractors sign NDAs
• Mandatory privacy and security training
• Data processing agreements with all service providers requiring PIPEDA and LGPD-equivalent protection

9.2 User-chosen account credentials protect accounts, ensuring exclusive personal information and account access. Users are solely responsible for credential management and password confidentiality.

9.3 Users should use strong passwords and avoid third-party device or public network access. Bullet never requests passwords/PINs or sends executable file downloads. Bullet is not responsible for unauthorized access from user negligence.

9.4 Users are solely responsible for device and network operation and security. Industry-recommended precautions include antivirus software and device manufacturer/software provider suggestions. Users suspecting data risk should contact support.

10. Security Safeguard Breach, Notification

Per PIPEDA Section 10.1 (Canada) and LGPD Article 48 (Brazil), if security breach creates real harm risk, Bullet will:

(a) Notify affected individuals including:

• Breach and involved personal information description
• Breach date or period
• Risk mitigation and future prevention steps taken
• Risk reduction steps users can take
• Inquiry contact information

(b) Report breach to:

• ANPD (Brazil): Within reasonable period, up to 2 business days from incident awareness (Art. 48 LGPD)
• OPC (Canada): As soon as feasible (PIPEDA s. 10.1)

(c) Notify other organizations potentially reducing harm risk.

"Real risk of significant harm" includes: bodily harm, humiliation, reputation damage, financial loss, identity theft, or credit record negative effects.

Recordkeeping: All breaches are recorded for 24 months, available to Office of the Privacy Commissioner and ANPD upon request.

Reporting Suspected Breaches: Contact [email protected] immediately upon suspicion.

11. Compliance with FINTRAC and Anti-Money-Laundering Regulations

As registered Canadian MSB, Bullet is subject to Proceeds of Crime (Money Laundering) and Terrorist Financing Act and FINTRAC regulations.

Legal Obligations:

(a) Identity Verification: Customer identity verification using government-issued identification is mandatory before service provision (KYC requirement).

(b) Record Retention: Records must be retained minimum 5 years, including identity verification records, transaction records, and correspondence.

(c) Transaction Reporting: Bullet must report specific transactions to FINTRAC without user knowledge or consent:

• Large Cash Transactions (CAD $10,000+ in cash)
• Suspicious Transactions (any amount involving money laundering or terrorist financing)
• International Electronic Funds Transfers (CAD $10,000+)

Information Reported: When filing required reports, identifying information, account information, and transaction details are disclosed to FINTRAC.

Consequences of Non-Compliance: Failure to provide FINTRAC-required information may prevent account opening or transaction processing.

For more information: www.fintrac-canafe.gc.ca

12. Cookies and Tracking Technologies

Bullet uses cookies and similar technologies for platform functioning, experience improvement, and preference-aligned service offering. Categories include:

(a) Essential Cookies: Necessary for authentication, security, session maintenance, and basic service operation. Cannot be disabled.

(b) Performance and Analytics Cookies: Aggregate navigation, loading time, and system performance information is collected for product improvement identification.

(c) Preference Cookies: User-chosen settings (language, region, device) are stored.

(d) Marketing Cookies (Optional/Consent-Based): Used only with express authorization for campaigns, promotions, and personalized recommendations.

Retention: Cookies remain active until expiration or user deletion, typically 30 days to 12 months depending on category.

13. International Data Transfers

Bullet operates globally; data may be transferred, processed, and stored in countries where Bullet or partners operate, including Canada, Brazil, United States, Dominica, and others.

Legal Basis for International Transfer

Per LGPD (Art. 33) and PIPEDA, transfers occur based on:

• Countries with adequate protection levels, such as Canada
• Contracts or standard contractual clauses with commercial partners
• Contract performance necessity for service provision
• FINTRAC, ANPD, or other competent authority legal obligation compliance

Safeguard Measures

All transfers follow:

• Environment segregation and granular access control
• Privacy and confidentiality-addressing contractual clauses