Privacy Policy

Last updated on May 26, 2026, Nova Lima, Minas Gerais, Brazil.

FIREBIT DIGITAL ASSETS, a legal entity registered under No. 62.873.133/0001-20 ("Firebit"), respects your privacy and is committed to protecting your personal data. For this reason, this Privacy Policy ("Policy") was prepared to explain, in a clear and transparent manner, how we collect, use, store, protect, and share your Personal Data in the context of our activities.

The protection of Personal Data is a priority for Firebit. We adopt strict data Processing policies and measures, in compliance with applicable legal and regulatory standards, with the objective of ensuring information security, respecting the privacy of data subjects, and ensuring transparency in the processes carried out.

Firebit is a digital platform that operates in the virtual assets market, offering intermediation services for the purchase, sale, and exchange of virtual assets. Certain functionalities, such as fiat currency on-ramp and off-ramp operations, may be made available depending on the product contracted, and the custody of crypto assets traded through Firebit is carried out by a specialized service provider within the same ecosystem, as described in this Policy.

In this context, Firebit reaffirms its institutional commitment to the ethical, secure, and responsible processing of personal data of its users, clients, partners, suppliers, and other data subjects, in strict compliance with current legislation, especially the Brazilian General Data Protection Law (LGPD).

By using (i) our services and/or (ii) our Platform, including our websites, you declare that you are aware of and agree to the terms of this Policy. We recommend careful reading of this document and, in case of questions, contacting us through one of the channels indicated in this Policy.

1. DEFINITIONS

We know that some terms used in this Policy may not be common in your daily life. Therefore, we have prepared a short glossary for reference:

Any other terms used with initial capital letters shall have the meaning attributed to them in applicable legislation, especially in the LGPD.

2. PURPOSE

The purpose of this Policy is to explain how Firebit processes and protects the Personal Data of its Clients and how these Data Subjects may exercise their rights regarding the Processing of their Personal Data. If you wish to consult how your data is processed, this Policy (in its most recent version) should be consulted.

Certain specific Processing activities may be subject to terms of use, privacy policies, or specific contractual instruments, whether under the responsibility of Firebit or third parties, prepared specifically for certain services, functionalities, or operations. In such cases, and to the extent applicable, this Policy shall not apply to services that have their own terms and/or standards and over which Firebit does not exercise any kind of interference regarding the purposes and means of Personal Data Processing.

3. HOW DOES FIREBIT COLLECT YOUR PERSONAL DATA?

Collection of Personal Data. Your Personal Data may be collected by us in various ways and to fulfill the purposes described in section 6. Below, we explain some of these means that we use:

• Registration and use of the Platform:at the time of creating the Client's account, as well as during the use of the Firebit Platform, at which time the Personal Data necessary for the use of the Platform is collected, as applicable. Personal Data may also be collected from Partners, within the context of Firebit's economic group;
• Verification and compliance procedures (KYC/AML): when the Client provides documents, images, and information necessary for identification, identity verification, and compliance with legal and regulatory obligations;
• Contact and support channels: when the Client provides or updates information through electronic forms, email, phone, messaging apps, or other official Firebit channels; and
• Exercise of rights and compliance with legal requests: when the Client submits requests related to the exercise of rights provided for in applicable legislation or to compliance with legal obligations.

We always seek to limit the Processing of Personal Data to the minimum necessary to fulfill its purposes.

Firebit may anonymize your Personal Data whenever necessary to ensure your privacy or when required by applicable legislation. In this regard, Firebit may use anonymized data to obtain, among other things, statistical results useful for Firebit, provided that this is in accordance with applicable legislation.

Furthermore, we are committed to the right to privacy of children and adolescents, the protection of their personal information, and the promotion of good use of technology, so that we do not process Personal Data of minors, except in exceptional situations.

Firebit may collect other Personal Data and/or Sensitive Personal Data from the Data Subject, as necessary to achieve the purposes set forth in the section below and always in accordance with the criteria and procedures provided for in the LGPD.

In the context of providing its services, Firebit may receive Personal Data from third-party partners, such as financial institutions, partner companies, or technology service providers, when such data is necessary to enable the integrated provision of services or the referral of users to the Platform. In such cases, the Processing will observe the legal role played by each party, and the third party may act as an independent Controller, joint Controller, or Processor, depending on the definition of the purposes and means of Processing, under applicable legislation and the contractual instruments entered into between the parties.

You may, at any time, request specific information about which Personal Data is being Processed by Firebit through the support channel indicated in this Policy.

4. PURPOSES

Firebit seeks to carry out the Processing of your Personal Data always based on legitimate, specific, explicit, and informed purposes. In this regard, we detail below the main purposes that underpin the Processing of Personal Data and/or Sensitive Personal Data:

You may, at any time, request specific information about the Processing of your Personal Data by Firebit, through the support channel indicated in this Policy.

5. SHARING OF PERSONAL DATA

In some situations, in order to provide our services according to the quality standards you expect, Firebit may share some of your Personal Data with third parties, such as, for example:

• Service providers and operational partners, such as financial institutions, payment service providers, other Virtual Asset Service Providers and Partners, digital asset custodians, identity verification providers (KYC), fraud prevention and anti-money laundering (AML) providers, as well as technological infrastructure, cloud computing, data storage, backup, information security monitoring, and technical support suppliers, to the extent necessary for the enablement and execution of contracted services;
• Public bodies, administrative, regulatory, or judicial authorities, including tax and financial authorities, when sharing is necessary for compliance with legal or regulatory obligations, compliance with judicial or administrative orders, or for the regular exercise of Firebit's rights in administrative, arbitration, or judicial proceedings; and
• Third parties involved in corporate operations, such as mergers, spin-offs, acquisitions, incorporations, or any other corporate reorganization involving Firebit, in which case sharing will occur in a manner compatible with the purposes of this Policy and through the adoption of adequate confidentiality and personal data protection measures.

In the context of providing services, Firebit shares personal data and operational information with a company within the same ecosystem responsible for the custody and infrastructure of crypto assets, exclusively to enable the safekeeping, movement, security, and traceability of users' crypto assets, within the limits necessary for the execution of services.

We emphasize that the sharing of Personal Data by Firebit will be carried out through the adoption of adequate technical, administrative, and organizational measures, designed to ensure the confidentiality, integrity, and availability of information, as well as compliance with security standards required by applicable legislation and market best practices.

In the event of engaging third parties, Firebit will use its best efforts to verify that such third parties have adequate technical, organizational, and legal structures for the processing of personal data, requiring, whenever applicable, compliance with contractual obligations related to information security, confidentiality, and personal data protection.

6. THIRD-PARTY WEBSITES AND APPLICATIONS

We remind you that this Policy applies exclusively to Processing activities carried out by Firebit within the scope of its Platform and its services. This Policy does not apply to websites, applications, platforms, or third-party services accessed through links, technical integrations, or redirects made available on the Platform.

The provision of links, integrations, or references to third-party services does not, by itself, imply any endorsement, sponsorship, or responsibility on the part of Firebit in relation to such third parties, nor regarding the Processing practices they adopt.

7. INTERNATIONAL TRANSFER OF PERSONAL DATA

Within the scope of its activities, Firebit may carry out the international transfer of Personal Data to third parties located outside Brazil, exclusively when such transfer is necessary for the execution of its operations, the use of technological infrastructure, compliance with legal or regulatory obligations, or ensuring the security and continuity of its services.

Such transfers may be carried out for activities such as (i) secure storage and preservation of Personal Data, in order to ensure availability, integrity, and confidentiality of information, (ii) execution of operational and administrative activities, including backup, replication, and data recovery, (iii) use of specialized suppliers located in other countries, and (iv) to ensure compliance with Firebit's legal and/or regulatory obligations. Given the purpose of storage on corporate cloud servers, in addition to compliance with legal and regulatory obligations in the context of operations, all Personal Data under processing may be subject to international transfer.

Personal Data may be transferred and processed in different locations, depending on the needs of Firebit's operations. In this regard, transfers may occur to countries where Firebit's servers, applications, and services are located, as well as countries where other Firebit suppliers are located.

Data Subjects have the right to request more information about the sharing of their Personal Data, and may contact us through the channel indicated in this Policy.

The international transfer of Personal Data may be carried out for the time necessary to fulfill the purposes indicated in this Policy and considering other contracts and/or agreements entered into with third parties and/or clients. The sharing period may vary depending on the nature of the Personal Data transferred, the purposes, and other applicable legal requirements.

International transfers of Personal Data, when they occur to recipients located in countries outside Brazil that do not offer an adequate level of Personal Data protection, will be based on the existence of appropriate safeguards.

8. STORAGE PERIOD

Personal Data will be stored by Firebit for the period necessary and according to the purposes for which it was collected. This data will be retained for a period defined according to:

• the period required by laws, resolutions, and/or other regulations to which Firebit is subject;
• the time necessary to achieve the purpose of the Processing of Personal Data, as listed in this Policy;
• the time necessary to preserve Firebit's legitimate interest, as applicable; or
• the time necessary to safeguard the regular exercise of Firebit's rights in judicial, administrative, or arbitration proceedings, including in accordance with applicable statute of limitations.

Except in cases where legislation authorizes the retention of your Personal Data by Firebit, they will be deleted when:

• the purpose of the Processing has been achieved;
• the Personal Data is no longer necessary or relevant to achieve the specific intended purpose;
• in applicable cases, you exercise your right to revoke Consent, by means of communication; or
• there is a determination by the ANPD, in case of violation of the LGPD.

You may, at any time, request the deletion of your Personal Data stored by Firebit, provided that such data (i) is unnecessary, excessive, or processed in non-compliance with the LGPD, or (ii) was provided through the granting of Consent. The deletion request may be made through the support channel indicated in this Policy.

Firebit commits to making its best efforts to fulfill all Personal Data deletion requests as quickly as possible, provided that they are permitted under applicable legislation.

9. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

As a Data Subject, you have a series of rights provided for by the LGPD, which are:

• Confirmation of the existence of Processing: you may request Firebit to confirm that your Personal Data is being processed.
• Access to Personal Data: you may request Firebit for access to Personal Data under Processing. In this case, Firebit will provide, by electronic or physical means, a copy of your Personal Data stored by us. Firebit cannot provide Personal Data of other Data Subjects.
• Correction or updating of Personal Data: you may request the correction or updating of your Personal Data when it is inaccurate, incomplete, or outdated. Before updating your Personal Data, Firebit may request documents and/or information that prove the information provided.
• Request Anonymization, blocking, or deletion of Personal Data: you may request that unnecessary, excessive Personal Data or data processed in non-compliance with the LGPD be anonymized, blocked, or deleted from Firebit's database.
• Personal Data Portability: you may request the migration of your Personal Data collected by Firebit to another organization after regulation on the subject by the ANPD.
• Deletion of Personal Data: you may request the deletion of your Personal Data processed by Firebit based on your Consent, at any time, through a free and facilitated expression, and Personal Data will not be deleted in cases where retention is authorized by the LGPD.
• Information about the sharing of Personal Data: you may request information about the sharing of your Personal Data with third parties.
• Information about the possibility of not providing Consent: you may request information about the possibility of not providing Consent for the Processing of your Personal Data by Firebit, at which time Firebit will inform you of the consequences of this refusal, which, in some situations, may make it impossible to offer certain products and services.
• Revocation of Consent: you may revoke the Consent provided to Firebit for the Processing of Personal Data for certain purposes, at any time. However, the withdrawal of Consent (a) will not affect the legitimacy of Processing carried out previously, nor will it prejudice Processing carried out based on other legal bases; and (b) may make it impossible to continue some services.
• Objection to Processing: you may object to the Processing of Personal Data carried out by Firebit based on one of the legal hypotheses of Consent waiver that is not in line with the provisions of the LGPD.
• Review of automated decisions and explanation: you may request that Firebit review decisions made solely on the basis of automated Processing of Personal Data that affect your interests, including decisions intended to define your personal, professional, consumer, credit profile, or aspects of your personality, and you may also request clear and adequate information regarding the criteria and procedures used for the automated decision, subject to trade and industrial secrets.

The exercise of Data Subject rights must be carried out exclusively through the contact channels indicated in this Policy, which are available on the Firebit Platform, at which time Firebit will analyze and respond to requests within the periods and terms provided for in applicable legislation, and may, when necessary, request additional information for purposes of confirming the identity of the Data Subject and the legitimacy of the request.

To fulfill the rights exercised under this section and to ensure the security of Personal Data, Firebit may request information and documents for purposes of verifying the identity and authenticity of the requesting Data Subject.

10. SECURITY IN THE PROCESSING OF YOUR PERSONAL DATA

Firebit employs reasonable efforts to ensure the security of systems used in the Processing of Personal Data in an effort to, among other things, prevent incidents that may compromise your privacy and the protection of your Personal Data. Among the initiatives taken by Firebit, we mention:

• Technical, physical, and administrative measures capable of keeping Personal Data secure and protected from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any other form of inadequate or unlawful Processing, in compliance with applicable data protection and information security rules, including standard data encryption/encoding in accordance with market best practices;
• Maintenance of all information in a confidential manner, so that only persons responsible for ensuring the correct use of such information have access to it; and
• Awareness of Firebit employees on good compliance practices and Personal Data protection, in compliance with the LGPD.

The Platform may contain links that direct you to other pages, including those of partners, that have policies with provisions different from those set forth in this document. Therefore, Firebit is not responsible for the collection, use, sharing, and storage of information and/or Personal Data by those responsible for such pages outside the Firebit Platform domain.

Firebit makes its best efforts to preserve the confidentiality, integrity, and availability of the Personal Data of its Data Subjects. However, no institution can be considered immune to attacks such as unauthorized access perpetrated through methods developed to improperly obtain information. For this reason, we encourage you to take appropriate measures to protect yourself, such as keeping all usernames and passwords confidential, adopting two-factor authentication, among others.

11. HOW TO CONTACT US

If you have any questions or comments related to this Policy and questions related to the topic of Data Protection, please contact us through our Data Protection Officer.

Data Protection Officer: Felipe Fernandes Coelho.

Email: compliance@Firebit.com.

12. GENERAL PROVISIONS

This Policy may be reviewed at any time and without prior notice, taking into consideration, among other points, applicable legislation and organizational changes that may occur at any time, in order to maintain its relevance and effectiveness. The most current version of this policy will always be available at https://www.firebit.pro/privacy-policy .

If we make any significant change to this Policy that, in our judgment, is substantial, you may become aware of the changes to the Policy by accessing our website, where the updated version will be published, with an indication in the appropriate channels about such relevant update.

By continuing to access or use our services after the effective date of such change, you accept and agree to be bound by the revised version of the Policy.

This Policy shall be governed and interpreted in accordance with the laws of the Federative Republic of Brazil and shall take effect on the date of its publication.