1. PURPOSE

This Privacy Policy is intended to (i) communicate to customers and partners about (a) how any personal data of those who visit the Group’s websites (regardless of where they access it from) or (b) enter into a contract with StoneX is handled and cared for, and (ii) inform them about their privacy rights under applicable data protection legislation (Legislation).

2. SCOPE

The policy covers the companies of StoneX Group based in Brazil: StoneX Consultoria de Futuros e Commodities, StoneX DTVM, StoneX Banco de Câmbio and StoneX Investimentos. The policy described herein is applicable exclusively to personal data processing situations occurring within the Brazilian territory.

3. RELATED LEGISLATION

• Federal Law No. 13,709/18 – General Law of Protection of Personal Data (LGPD);
• CMN Resolution N° 4893/21 and BCB Resolution 85/2021 – Cybersecurity Regulations for Banks and FIs.

4. DEFINITIONS

4.1. ACRONYMS & TERMINOLOGY

• processing agents: the controller and the operator;
• anonymization: use of reasonable and available technical means at the time of processing whereby a data loses the possibility of association, directly or indirectly, with an individual;
• database: structured set of personal data, established in one or
• several locations, in electronic or physical support;
• BCB – Central Bank of Brazil;
• blocking: temporary suspension of any processing operation, by keeping the personal data or the database;
• CMN – National Monetary Council;
• consent: free, informed and unequivocal manifestation by which the holder agrees with the treatment of his personal data for a specific purpose;
• Controller: a natural or legal person, governed by public or private law, who is responsible for decisions concerning the processing of personal data;
• Cookies – small files that temporarily store what the internet user is visiting on the net, the site sends to the browser and are stored in the device, allowing the collection of information about him/her in an automatic way;
• anonymized data: data concerning the owner that cannot be identified, considering the use of reasonable and available technical means at the time of its treatment;
• sensitive personal data: personal data concerning racial or ethnic origin, religious conviction, political opinion, membership of a labor union or of a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when related to a natural person;
• personal data: information related to an identified or identifiable natural person;
• combined data – Set of personal data and aggregate data;
• DPO – Data Protection Officer – the executive responsible for meeting the local regulator, as well as receiving and meeting the demands of the data subjects;
• erasure: deletion of data or of a set of data stored in a database, regardless of the procedure employed;
• person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD);
• Group – A group of companies, affiliated or controlling, that make up StoneX Group;
• FI – Financial Institutions;
• Direct Interactions – When a customer, partner or employee: (i) enters into a contract with a Group Company; (ii) requests our products or services; (iii) creates an account on our website; (iv) subscribes to our service or publications; (v) requests marketing materials; (vi) participates in a prize draw, promotion or survey; or (vii) provides us with feedback;
• operator: the natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;
• data subject: natural person to whom the personal data that are subject to processing relate;
• international data transfer: transfer of personal data to a foreign country or international body of which the country is a member;
• processing: any operation carried out with personal data, such as those related to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction;
• shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in the fulfillment of their legal competencies, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities permitted by these public entities, or between private entities.

4.2. AREAS INVOLVED IN THE PROCESS

4.2.1. Responsible Area

• DPO

4.2.2 Support Areas

• Areas with access to client data

5. PROVISIONS

5.1. GUIDELINES

StoneX Group is committed to protecting the privacy and security of personal information of all customers. Customers who are not covered by this Policy shall follow the privacy rules governed by the Privacy Policy in force and made available in the customer’s country of residence or in the registration kit or product/service contract signed with the respective Group entity with which they have a contract. It is important that this Policy be read in conjunction with any other privacy or data processing statement that may be provided on specific occasions so that the guidelines used by the Group are clear.

Knowledge and awareness of this privacy policy is indispensable in order to:

1. Accessing the SITE;
2. A registration is carried out;
3. Services offered by the Group are used and/or contracted.

 

5.1.1. COLLECTED DATA

Personal data and/or information about an identified or identifiable natural person is collected for the purpose of dealing with the Group, not including data where the identity has been removed (anonymous data). Different types of personal data may be collected, used, stored and transferred, and are grouped as follows, without limitation and without prejudice to other definitions provided by legislation:

1. Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.
2. Contact Data includes email address and telephone numbers.

iii. Financial Data includes financial information at your institution, only as it relates to the services we may provide to you.

1. Transaction Data includes details of payments to and from you and other details of products and services of ours that have been contracted by you.
2. Technical Data includes IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technologies of the devices you use to access any of our websites. Most technical data is obtained through the use of cookies, as detailed below.
3. Profile Data includes your username and password, transactional activity, your interests, preferences, feedback and survey responses.

vii. Usage Data includes information about how you use any of our sites, products and services, such as date and time of access, geographic location, duration of visit, pages visited, etc.

viii. Marketing and Communications Data includes your preferences in receiving marketing materials from us, from our third parties and your communications preferences.

Aggregate data may also be collected, used and shared, such as statistical or demographic data, for any purpose. Such data may be collected as personal data, but is not considered personal data under the law because it is anonymous and does not reveal the identity of the customer either directly or indirectly. Usage data may be aggregated to calculate the percentage of users accessing a specific feature of the sites. In the case of the use of combined data that can directly or indirectly identify the customer, the combined data will be used and handled in accordance with this policy.

Additional information may be required strictly to meet regulatory obligations.

No sensitive personal data is collected.

Non-provision of personal data:

In the event of the need to collect personal data, whether required by current Legislation or under the terms of a contract entered into, that is not provided when requested, the Group may be unable to enter into or perform the contract, and may ultimately have the contract and the corresponding service cancelled or denied.

Third Party Links

The Group’s websites may include links to third party websites, plug-ins and applications. Clicking on these links or activating these connections may require these third parties to collect or share personal data. Since each company has its own data privacy policy it is important that you read them when you leave the Group’s websites.

5.1.2. HOW PERSONAL DATA IS COLLECTED

Different methods are used to collect data, including:

1. Direct Interactions. data provided willingly and voluntarily, and which is requested through:

• Requesting information of the products or services offered;
• Creating an account on the sites;
• Entering into contracts with StoneX;
• Subscription to a service or publication;
• Request to send marketing materials;
• Participation in a sweepstakes, promotion or survey; or
• By providing feedback.

1. Automated Technologies or Interactions. It is possible that during the use of the Site, technical data about equipment, actions, and browsing patterns may be automatically collected, which occurs through cookies, server logs, and other similar technologies.

iii. Third Parties or Publicly Available Sources. Personal Data from various third parties and publicly available sources, as described below:

(a) Technical Data from third parties such as:

– analytics providers;

– advertising networks; and

– providers of research information.

1. b) Contact, Financial and Transaction Data from technical, payment and delivery service providers.
2. c) Identity and Contact Data from data splitters and aggregators.
3. d) Identity and Contact Data from publicly available sources, such as corporate entity records and Voter Registration.

5.1.3. USE OF PERSONAL DATA

Personal data will be used only where the law permits and to the minimum extent possible, only to achieve the purposes for which the data was collected.

Using the predetermined legal basis(s) for this, the most common cases in which personal data will be used are

(a) When it is necessary to perform the contract that is about to be concluded or already concluded.

1. b) When it is necessary according to legitimate interests of the Group and when fundamental rights do not override these interests.
2. c) When it is necessary to comply with legal or regulatory obligations.

Thus, consent is not required as a legal basis for processing personal data, except in connection with the sending of direct marketing communications by third parties via e-mail or text message. The removal of consent, by the customer, in marketing materials can be done at any time through the contacts provided at the end of the policy.

Listed below are the data that will be collected for each activity and their respective legal bases.

1. start of relationship:

– Identity No.

– Data for electronic and/or telephone contact

Legal Basis: (i) Entering into a contract with you; (ii) Need to comply with legal obligations; (iii) Legitimate Interest (Marketing and Communications)

2. Order Processing:

– Identity

– Contact Person

– Financials

– Operations

– Marketing; and Communications

Legal basis: (i) Performance of a contract; (ii) Legitimate Interest (to recover debts owed); (iii) Need to comply with legal obligations

3. Relationship management/interactions: These being (a) Notifications about changes made to the privacy policy; (b) Request to conduct an assessment or a survey; (c) correspondence about accounts and/or changes to management or procedures.

– Identity

– Contact Person

– Profile

– Marketing;

– Communications

Legal Basis: (i) Entering into a contract with you; (ii) Need to comply with legal obligations; (iii) Legitimate Interest (keeping our records up to date and studying how customers use our products/services)

4. Participation in a sweepstakes, promotion, or survey

– Your identity

– Contact Person

– Profile

– Usage

– Marketing; and Communications

Legal Basis: (i) Performance of a contract; (ii) Legitimate Interest (to study how customers use our products/services, develop them and expand our business)

5. Business and site administration and protection (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and data hosting)

– Identity & Media

– Contact Person

– Technicians

Legal Basis: (i) Legitimate Interest (to perform business, provide IT and administration services, network security, prevent fraud and in the context of a business reorganization or group restructuring exercise); (ii) Need to comply with legal obligations

6. Providing relevant content and advertisements on the site and measuring or understanding the effectiveness of the advertising that is offered.

– Identity

– Contact Person

– Profile

– Usage

– Marketing; and Communications

– Technical

Legal Basis: (i) Legitimate Interest (to study how customers use our products/services, develop and expand our business)

7. Data analysis to improve site content, products/services, marketing, customer relationships and experiences – Technical – Use Legal Basis: (i) Legitimate Interest (define types of customers for our products/services, keep our site up-to-date and relevant, develop our business and inform our marketing strategy)
8. Profile analysis to be offered products or services that may be relevant to the recipient

– Identity

– Contact person

– Technical

– Usage

– Profile

Legal Basis: Legitimate Interest (to develop our products / services and expand our business)

If it is necessary to use a data provided that requires consent, the Group will contact you, and the use or processing of data will be in accordance with applicable Law. The Group undertakes to provide explanations on how the processing is carried out.

5.1.4. MARKETING

We may process personal data on the legal basis of our legitimate business interests for the benefit of the services provided.

These legitimate business interests may use Identity, Contact, Technical, Usage and Profile Data to better serve the customer’s interests. StoneX Group evaluates which products, services and offers may be relevant to the customer.

Customers will receive the materials produced when they wish to do so and provide the data for the communication to take place. A customer’s personal data may be used by any area within the Group.

5.1.5. COOKIES

The use of cookies occurs to enable a pleasant user experience and to ensure the effective functioning of the website. The cookie settings are fully configurable by customers, and they can choose to refuse all or some cookies, or to alert them when sites set or access cookies. Refusal to use cookies may adversely affect the functionality offered.

The Group uses the following types of cookies when the site is accessed:

– Essential cookies – are used to collect information to enable the correct and proper functioning of the website and access.

– Analytics cookies – these are used to collect information about the use of the site, to evaluate interactions with the site in order to improve our services and the experience of accessing the site.

– Preference cookies – these are used to collect information that allows us to ascertain the interests and preferences of customers, in order to offer services that are related to the customer’s interests.

With the exception of essential cookies, which cannot be disabled, as this would make it impossible to access the site, it is possible to disable the use of other cookies or even delete them by adjusting the browser or device settings at any time.

5.1.6. DISCLOSURE OF PERSONAL DATA

All information collected by StoneX Group is confidential. Under no circumstances will information provided be sold to third parties. However, in accordance with the purpose described in this policy, personal data may be shared

– Between companies of the StoneX Group economic group;

– Other third parties necessary to fulfill the purposes described in this policy.

– regulatory authorities and/or when necessary to protect the rights and interests of StoneX Group, such as in the case of a court order

– third parties with whom StoneX Group chooses to carry out active corporate restructuring transactions within the limits of this policy.

StoneX Group, whenever possible, preserves the anonymity of personal data before sharing and third parties will be required to maintain the confidentiality and security of the information shared. The privacy policy requires all third parties to respect the security of the personal data shared and to treat it in accordance with the law. Service providers are not permitted to use personal data for their own purposes and we only permit personal data to be processed for specific purposes and in accordance with our instructions.

International Transfers

In accordance with the satisfaction of the purposes and legal basis for the use and processing of personal data that are described in this policy, we may transfer data outside Brazilian jurisdiction.

In such cases, StoneX Group will ensure that personal data is only sent to a country that the national data protection authority considers has an adequate level of protection for personal data, or provided that all requirements under applicable Brazilian law relating to international transfers are met.

5.1.7 DATA SECURITY

Appropriate security measures are in place to prevent any personal data from being lost, used, altered, disclosed, or accessed in an unauthorized, inappropriate, or illicit manner. To this end, technical, administrative, and organizational security measures shall be adopted. In addition, access to personal data is restricted only to employees, agents, suppliers and other third parties who have a need to access it and who are subject to a duty of confidentiality. They must process personal data on instructions provided and are subject to a duty of confidentiality.

To avoid incidents with confidential data, logins and passwords are employed for access to the servers where the personal data are stored and access logs to such servers are kept to control and keep updated the inventory of access to personal data. Data are also backed up periodically and encryption techniques are used. All software, tools and technologies adopted by StoneX Group and/or its suppliers that involve the processing of personal data take into account market practices and have a reasonable level of updating. Our suppliers are subject to specific contractual obligations with regard to confidentiality, data privacy and cybersecurity.

Personal data security can be enhanced when you ensure that your computer environment or website access device remains secure by (i) using appropriate tools, (ii) using updated versions of browsers, operating systems and other applicable software, and (iii) not sharing your login and password with third parties. StoneX Group will not request, by email, telephone or WhatsApp, information regarding your access passwords or any personal information regarding you. If you suspect that any personal data is at risk you should contact us

Procedures are already in place for any suspected personal data breach and we will notify the responsible authority of a breach where we are legally obliged to do so.

5.1.8. DATA RETENTION

All personal data collected by StoneX Group is stored for the period necessary to meet the purposes described in this Privacy Policy or until the data subject, exercises the rights of opposition or cancellation, requesting the deletion of personal data or withdrawing the consent given. Once the personal data is no longer necessary or relevant for the predetermined purpose, the data will be deleted from our database.

However, in some circumstances we may keep it stored if necessary to protect your rights, comply with court orders, or comply with legal or regulatory obligations. We may also anonymize your personal data (so that it can no longer be associated with you) for statistical or research purposes, in which case we may use this information indefinitely without notice to you.

5.1.9. RIGHTS

In order to ensure that the personal data we hold and process is always correct, we ask you to notify us if there are any changes to your personal data.

Every customer has inherent rights as a holder of personal data. These rights aim to protect your personal data and safeguard your privacy. We list below what the customer’s rights are and how they can exercise them vis-à-vis StoneX Group:

– existence and access – To confirm whether any processing is carried out with the personal data, as well as to have access to the personal data processed by the Group, by requesting and receiving a document containing the full copy of the personal data and the respective processing carried out with it.

– rectification – To request the correction or updating of personal data if they are incorrect or outdated.

– explanation – Obtain information about the treatment performed with the personal data, the reason why personal data is collected, how it is used, with whom it is shared and for what reason, among other information.

– cancellation – Deleting personal data from our database, definitively, or requesting that they be anonymized or, further, requesting that the processing of personal data by StoneX Group be blocked. StoneX Group will always comply with the customer’s request, except with respect to requests for deletion and anonymization, when the maintenance of personal data is necessary for StoneX Group to protect its rights and/or comply with legal obligations. In cases of deletion, anonymization and blocking, it is possible that the customer will be unable to access certain features offered.

– opposition – to object to the processing of personal data, as well as to withdraw any consent that is linked to a particular purpose of processing. In the latter case, StoneX Group may continue to process personal data if the processing is supported by a legal basis other than consent. In the event of a dispute, StoneX Group may demonstrate that it processes personal data lawfully.

– Portability – Request that personal data stored by StoneX Group be sent to the owner of the data, or sent to a third party indicated as such, in a structured and interoperable format.

Any of the rights described here can be exercised at any time by a free and easy procedure. To do so, simply send a request to StoneX Group via email to dpobrasil@stonex.com. We shall use our best efforts to respond to all requests in the shortest possible time.

5.1.10. CONTACT INFORMATION

A data controller (DPO) is responsible for overseeing questions in relation to this privacy statement. If you have any questions about this statement, including requests to exercise your legal rights, please contact the data controller using the information below.

E-mail address: dpobrasil@stonex.com

5.2 RESPONSIBILITIES

5.2.1. DPO

Define criteria and monitor the guidelines established in this policy, proposing improvements in case of identification of deficiencies.

5.2.2 Areas that store or process client data

Act according to the guidelines established in this policy, treating data with due confidentiality.

Last revision: July 14, 2022