1. Purpose
This Personal Data Protection Policy sets forth the principles, responsibilities and procedures adopted by Nora Finance for the processing of personal data collected, stored and processed in the course of its activities as a stablecoin issuer, in compliance with Law no. 13,709/2018 (Brazilian General Data Protection Law - LGPD) and other applicable rules.
The policy aims to ensure that all personal data processing performed by Nora Finance observes the principles of purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination and accountability, as set forth in art. 6 of the LGPD.
2. Nora Finance's Position on Data Processing
Nora Finance operates exclusively as a stablecoin issuer (pure issuer model), having as direct customers only the Nora Authorized Minters (NAMs) - legal entities credentialed to mint and burn BRS. Nora Finance does not maintain a direct relationship with end users.
As a result of this model, the processing of personal data by Nora Finance is structurally limited and occurs primarily in the following situations:
-
Collection of personal data of legal representatives and ultimate beneficial owners (UBOs) of NAMs during the KYB process
-
Processing of data of employees, service providers and business partners
-
Processing of data of visitors to the institutional website and digital channels
-
Processing of personal data that may incidentally appear in monitored on-chain transactions
| Important Note Nora Finance does not process personal data of end users of the NAMs. Responsibility for processing such users' data lies entirely with each NAM, in its capacity as an independent controller before its own customers. |
|---|
3. Legal and Regulatory Basis
| Instrument | Relevance |
|---|---|
| Law no. 13,709/2018 (LGPD) | Brazilian General Data Protection Law; defines legal bases, data subject rights, controller/processor obligations and the sanctioning regime |
| ANPD Resolution no. 2/2022 | Regulation applicable to small-sized processing agents (where applicable) |
| ANPD Resolution no. 4/2023 | Regulation on Dosimetry and Application of Administrative Sanctions |
| ANPD Resolution no. 15/2024 | Regulation on Security Incident Notification |
| Law no. 9,613/1998 (AML/CFT) | Legal hypothesis for processing (compliance with legal and regulatory obligation) |
| Law no. 14,478/2022 | Brazilian crypto-asset legal framework; combined with AML/CFT obligations that justify data processing |
| GDPR (EU Regulation 2016/679) | Adopted as additional reference for processing involving cross-border elements, in particular international data transfers |
4. Definitions
| Term | Definition |
|---|---|
| Personal Data | Information related to an identified or identifiable natural person (art. 5, I, LGPD) |
| Sensitive Personal Data | Data on racial or ethnic origin, religious belief, political opinion, union membership, health data, sex life, genetic or biometric data (art. 5, II, LGPD) |
| Processing | Any operation performed with personal data, including collection, storage, classification, use, processing, transfer and deletion (art. 5, X, LGPD) |
| Data Subject | Natural person to whom the personal data being processed refers (art. 5, V, LGPD) |
| Controller | Person responsible for decisions regarding the processing of personal data (art. 5, VI, LGPD) |
| Processor | Person who processes personal data on behalf of the controller (art. 5, VII, LGPD) |
| Data Protection Officer (DPO) | Person appointed by the controller to act as a communication channel between the controller, data subjects and the ANPD (art. 5, VIII, LGPD) |
| ANPD | Brazilian National Data Protection Authority (art. 5, XIX, LGPD) |
| Security Incident | Confirmed adverse event related to a security breach, that may pose risk or material harm to data subjects (art. 48, LGPD) |
| DPIA | Data Protection Impact Assessment (art. 5, XVII, LGPD) |
5. Policy Principles
Nora Finance adopts the principles set forth in art. 6 of the LGPD across all its processing activities:
-
Purpose: processing occurs only for legitimate, specific, explicit purposes informed to the data subject
-
Adequacy: processing is compatible with the informed purposes
-
Necessity: processing is limited to the minimum necessary to achieve the purposes
-
Free access: guarantee of free and accessible consultation by data subjects regarding the processing of their data
-
Data quality: guarantee of accuracy, clarity, relevance and currency
-
Transparency: clear, accurate and easily accessible information about processing
-
Security: technical and administrative measures to protect data
-
Prevention: adoption of measures to prevent damages
-
Non-discrimination: prohibition of processing for unlawful or abusive discriminatory purposes
-
Accountability: demonstration of effective measures evidencing LGPD compliance
6. Categories of Data Processed and Legal Bases
6.1 Processing Map
Nora Finance performs the following processing of personal data, each with its respective legal basis:
| Processing Activity | Data Categories | Data Subjects | Legal Basis (LGPD) |
|---|---|---|---|
| KYB of NAMs (legal representatives and UBOs) | Full identification, ID documents, facial biometrics, PEP qualification, proof of address | Natural persons connected to NAMs | Art. 7, II (compliance with legal obligation) and art. 7, V (contract execution) |
| Sanctions and PEP screening | Full name, date of birth, nationality, ID document | NAM representatives and UBOs | Art. 7, II (compliance with legal obligation) and art. 11, II, "a" (compliance with controller's legal obligation) for sensitive data when applicable |
| On-chain transaction monitoring | Wallet addresses, amounts, timestamps, counterparties | Indirect: persons associated with wallets | Art. 7, II (compliance with AML/CFT legal obligation) and art. 7, IX (legitimate interest) |
| COAF reporting | Full set of suspicious operation data and the involved NAM | Representatives, UBOs, counterparties | Art. 7, II (compliance with legal obligation - Law no. 9,613/1998) |
| Employee management | Identification, contractual data, financial data, health data when applicable | Employees and contractors | Art. 7, V (contract execution), art. 7, II (labor and social security obligations), art. 11, II, "a" and "b" (legal obligations in occupational health) |
| Business and supplier relationships | Identification of representatives, professional contacts | Natural persons connected to partners | Art. 7, V (contract execution) and art. 7, IX (legitimate interest) |
| Institutional website and forms | Contact data, navigation data (strictly necessary cookies) | Website visitors | Art. 7, IX (legitimate interest) and art. 7, I (consent, where applicable to non-essential cookies) |
| Marketing and relationship communications | Name, professional email, company | Business contacts | Art. 7, I (consent) or art. 7, IX (legitimate interest), as applicable |
6.2 Sensitive Personal Data
Nora Finance processes sensitive personal data on a restricted basis, essentially limited to:
-
Facial biometric data collected for identity verification (liveness check) of NAM UBOs and representatives, under art. 11, II, "a" of the LGPD (compliance with AML/CFT legal obligation)
-
Eventual employee health data, processed for compliance with labor and occupational health obligations, under art. 11, II, "a" and "b" of the LGPD
Nora Finance does not process sensitive data for commercial, marketing or profiling purposes.
6.3 Processing of Children and Adolescents' Data
Nora Finance does not direct its products or services to children or adolescents and does not process personal data of persons under 18 years of age. Should involuntary processing of such data be identified, it will be immediately ceased and the data deleted, except where a legal obligation requires otherwise.
7. Data Subject Rights
Data subjects whose personal data is processed by Nora Finance have the rights guaranteed by art. 18 of the LGPD:
| Right | Description |
|---|---|
| Confirmation | Confirmation of the existence of processing |
| Access | Access to the personal data being processed |
| Correction | Correction of incomplete, inaccurate or outdated data |
| Anonymization, blocking or deletion | Of unnecessary, excessive data, or data processed in non-compliance with the LGPD |
| Portability | Portability of data to another service provider, subject to commercial and industrial secrecy |
| Deletion | Deletion of data processed with consent, except in the cases of art. 16 of the LGPD |
| Information on sharing | Identification of public and private entities with which data has been shared |
| Information on non-consent | Information on the possibility of refusing consent and the consequences of refusal |
| Consent revocation | Revocation of consent, under art. 8, paragraph 5 of the LGPD |
| Objection | Objection to processing performed on a basis other than consent, in case of LGPD non-compliance |
| Review of automated decisions | Review of decisions taken solely based on automated processing affecting the data subject's interests |
7.1 Data Subject Channel
Requests related to the exercise of rights may be submitted to:
-
Email: dpo@norafinance.xyz
-
Response timeframe: up to 15 (fifteen) days from receipt of the request, under art. 19, paragraph 1, II of the LGPD
-
Mandatory data subject identification to confirm legitimacy of the request
7.2 Limitations on the Exercise of Rights
Certain rights may be limited where processing is necessary for the controller to comply with a legal or regulatory obligation, in particular AML/CFT obligations (Law no. 9,613/1998) requiring a minimum 5-year retention. In such cases, Nora Finance will inform the data subject of the applicable legal basis and the minimum retention period.
8. Data Sharing and Processors
8.1 Sharing Principles
Nora Finance shares personal data with third parties only when strictly necessary to fulfill the purposes informed to the data subject or to comply with a legal or regulatory obligation. All sharing is subject to:
-
Prior assessment of purpose and necessity
-
Contractual formalization with specific data protection clauses
-
Access limited to the minimum necessary
-
Guarantee that the third party adopts equivalent security standards
8.2 Categories of Processors and Third Parties
Nora Finance uses the following processors and third parties for personal data processing:
| Category | Purpose | Predominant Location |
|---|---|---|
| KYB/KYC and PEP/sanctions screening provider | Document verification, biometrics, ongoing screening | International (EU/UK) |
| Blockchain analytics provider | On-chain monitoring, wallet screening | International (USA) |
| Transaction monitoring provider | Atypical pattern detection | International (USA) |
| Proof of reserves provider | Verifiable publication of BRS backing | International |
| Cloud infrastructure providers | Hosting of applications and databases | Brazil or regions with adequate level of protection |
| Email and productivity providers | Corporate communication | International (USA) |
| External legal counsel | Regulatory, contractual and litigation advice | Brazil |
| External audit | Accounting and compliance audit | Brazil |
| Public authorities and regulators | Compliance with legal obligations (COAF, BCB, ANPD, Federal Revenue, Judiciary) | Brazil |
8.3 Sharing Required by Law
Nora Finance may share personal data with public authorities and regulators when required by law, court order or valid administrative determination, in particular:
-
COAF reports under Law no. 9,613/1998
-
Compliance with determinations from the Central Bank of Brazil
-
Compliance with court orders
-
Compliance with requirements from the Brazilian Federal Revenue
9. International Data Transfers
9.1 Transfers Performed
Due to the use of international processors specialized in compliance and infrastructure, Nora Finance performs international transfers of personal data. These transfers comply with art. 33 of the LGPD and occur in the following hypotheses:
-
To countries that provide an adequate level of protection, as recognized by the ANPD
-
When the controller offers and demonstrates guarantees of compliance with the principles and rights of the data subject, through specific contractual clauses, global corporate rules, seals, certificates and codes of conduct
-
When necessary for the controller to comply with a legal or regulatory obligation
-
When necessary for the execution of a contract to which the data subject is a party
9.2 Safeguards Adopted
-
Data protection contractual clauses in all contracts with international processors
-
Prior assessment of the destination country's protection level
-
Verification of information security certifications (e.g., ISO 27001, SOC 2)
-
Where applicable, adoption of standard clauses equivalent to GDPR SCCs
-
Internal documentation of the legal basis of each transfer
10. Information Security and Data Protection
Nora Finance adopts technical and administrative measures suitable to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination (art. 46 of the LGPD).
10.1 Technical Measures
-
Encryption in transit (TLS 1.2 or above) and at rest for sensitive databases
-
Role-based access control (least privilege) and segregation of duties
-
Mandatory multi-factor authentication (MFA) for access to systems processing personal data
-
Access and change logs with retention periods compatible with the applicable legal obligation
-
Regular backups with encryption and periodic restoration testing
-
Environment segregation (production, staging, development)
-
Periodic vulnerability assessments and review of security configurations
-
Server hardening and review of software dependencies
10.2 Administrative Measures
-
Internal Information Security Policy
-
Confidentiality terms signed by every employee and contractor
-
Periodic training of employees on data protection and information security
-
Vendor risk assessment prior to contracting
-
Formal access revocation procedures upon employee deactivation
-
Inventory of data processing activities (Record of Processing Activities, art. 37 of the LGPD)
-
Periodic review of access permissions
11. Data Retention and Deletion
11.1 Retention Periods
Nora Finance retains personal data for the time strictly necessary to fulfill the purposes for which it was collected, observing the following minimum periods:
| Category | Minimum Retention Period | Basis |
|---|---|---|
| NAM KYB data (including UBOs and representatives) | 5 years after termination of relationship | Art. 10, paragraph 2 of Law no. 9,613/1998 |
| Mint/burn transaction records and monitoring alerts | 5 years after the operation | Art. 10, paragraph 2 of Law no. 9,613/1998 |
| COAF reports | 5 years after submission | Art. 11, II, of Law no. 9,613/1998 |
| Contractual data with suppliers and partners | 5 years after termination of contract | Art. 206, paragraph 5, I of the Brazilian Civil Code |
| Employee data | As per applicable labor and social security legislation | CLT, INSS and other rules |
| Website visitor data | For the purpose period or until consent revocation | LGPD |
11.2 Deletion
Once the retention period has elapsed and purposes have been fulfilled, personal data is securely deleted, except in cases authorized by art. 16 of the LGPD (compliance with legal obligation, study by research body, transfer to third party, exclusive use by the controller provided data is anonymized).
Deletion covers data in the production environment and in backups, observing the technical media rotation cycles.
12. Security Incidents
12.1 Internal Procedure
Upon identification of a security incident involving personal data, Nora Finance:
-
Immediately activates the Compliance team and the DPO
-
Performs containment, investigation and impact assessment
-
Documents the incident, its causes, affected data, measures adopted and impacts
-
Assesses the obligation to notify the ANPD and affected data subjects
12.2 Notification to ANPD and Data Subjects
Notification to the ANPD will be performed when the incident may pose risk or material harm to data subjects, observing the criteria and deadlines established by ANPD Resolution no. 15/2024. The notification contains, at minimum:
-
Description of the nature of the affected data
-
Information about the data subjects involved
-
Indication of the technical and security measures used
-
Risks related to the incident
-
Reasons for any delay, where notification was not immediate
-
Measures adopted or to be adopted to reverse or mitigate the effects
Notification to data subjects will be performed where applicable, in clear and accessible language.
13. Data Protection Officer (DPO)
Nora Finance formally appoints its Data Protection Officer, responsible for the duties set forth in art. 41, paragraph 2 of the LGPD:
-
Receiving complaints and communications from data subjects, providing clarifications and taking action
-
Receiving communications from the ANPD and taking action
-
Guiding employees and contractors on data protection practices
-
Performing other duties determined by the controller or by complementary rules
| DPO Identification DPO: Bruno Moniz Title: CFO & Compliance Officer Email: dpo@norafinance.xyz |
|---|
14. Responsibilities
| Responsible Party | LGPD Duties |
|---|---|
| Bruno Moniz (CFO, Compliance Officer and DPO) | Data Protection Officer; channel with data subjects and the ANPD; policy approval and review |
| Jean Martina (CTO & Co-Compliance Officer) | Implementation of technical security measures; maintenance of access controls; technical incident response |
| Luigi Remor (CEO) | Executive sponsorship of data protection culture; approval of strategic decisions involving data processing |
| Victor Cioffi (CRO) | Adherence to minimization and purpose principles in commercial initiatives; referral to DPO of demands involving personal data |
| External Legal Counsel | Legal guidance in complex cases; policy review; support in incidents and regulatory demands |
| All Team Members | Processing of data in accordance with this policy; immediate notification to the DPO of any suspected incident or irregularity |
15. Training and Data Protection Culture
-
Every employee receives initial LGPD training during onboarding
-
Mandatory annual refresher training
-
Periodic communications on information security and privacy best practices
-
The DPO maintains continuous professional development on applicable legislation and regulation
-
Privacy culture is a leadership responsibility and permeates product, technology and operations decisions
16. Review and Effectiveness
This policy enters into force on the date of its approval by Nora Finance's executive board and shall be reviewed:
-
Annually, as part of the regular internal policy review cycle
-
Whenever a material change occurs in applicable legislation or regulation
-
Upon recommendation by external legal counsel or external audit
-
In the event of a security incident requiring procedural adjustment
-
Upon implementation of new products, services or material processing activities
| Version | Date | Changes |
|---|---|---|
| 1.0 | March 2026 | Initial version |
| Bruno Moniz CFO, Compliance Officer & DPO - Nora Finance | Jean Martina CTO & Co-Compliance Officer - Nora Finance |
|---|
17. Related Documents
-
KYC/KYB Policy - Nora Authorized Minters (NAM)
-
Anti-Money Laundering and Counter-Terrorism Financing Policy (AML/CFT)
-
NAM Program v1 - Nora Authorized Minters
-
NAM Agreement (Authorized Minter Partnership Agreement)
-
Information Security Policy - to be drafted
-
Record of Processing Activities (ROPA) - to be drafted