Privacy Policy

1. Introduction

Lunas Solucoes Ltda (operator of "LunasCRM"), a private legal entity registered under CNPJ 45.524.731/0001-74, headquartered at R Valdomiro Gonzaga Silva, 158 - Jd das Oliveiras, Sao Paulo - SP, CEP 08111-540, Brazil, operating as a banking correspondent under Brazilian Central Bank Resolution CMN 4,935/2021, presents this Privacy Policy to demonstrate its commitment to transparency and the protection of personal data of its clients, users, and visitors.

This Privacy Policy applies to the application "CRM Lunas" (also referred to as "WhatsApp CRM"), a customer relationship management platform that integrates with the WhatsApp Business API provided by Meta Platforms, Inc. to facilitate communication between our company and its clients regarding financial services.

This Policy describes how we collect, use, store, share, and protect your personal data, in compliance with Brazil's General Data Protection Law (Lei Geral de Protecao de Dados Pessoais - LGPD, Law 13,709/2018) and other applicable regulations.

By using our services, including our WhatsApp-based customer service, website, and other digital channels, you acknowledge and agree to the terms of this Policy.

2. App Description & Meta Platform Usage

CRM Lunas is a customer relationship management application developed and operated by Lunas Solucoes Ltda. The app integrates with the Meta Platform, specifically the WhatsApp Business API, to enable our team to communicate with clients about financial products and services, including loan simulations, credit proposals, and account inquiries.

2.1. Use of business_management Permission

CRM Lunas requests the business_management permission from Meta to:

• Access and manage WhatsApp Business accounts connected to our platform;
• Retrieve business profile information (business name, phone number, verification status);
• Configure message templates and manage messaging settings;
• Monitor account health, quality ratings, and messaging limits;
• Manage phone number registrations associated with the WhatsApp Business accounts.

This permission is used solely for administrative purposes related to operating the WhatsApp Business integration. No data obtained through this permission is sold, shared with third parties for advertising, or used for purposes unrelated to the CRM platform's core functionality.

2.2. Use of whatsapp_business_messaging Permission

CRM Lunas requests the whatsapp_business_messaging permission from Meta to:

• Send and receive WhatsApp messages on behalf of the connected WhatsApp Business accounts;
• Deliver service notifications to clients (e.g., proposal status updates, appointment reminders);
• Enable real-time customer support conversations through our CRM interface;
• Send pre-approved message templates for transactional and service-related communications;
• Receive and process incoming messages from clients who initiate contact;
• Deliver automated responses through AI-powered chatbots and conversation flows.

All messaging is conducted in compliance with Meta's WhatsApp Business Policy and Commerce Policy. We do not send unsolicited marketing messages without prior opt-in consent from the recipient.

3. Definitions

For the purposes of this Policy, the following definitions apply, as established by the LGPD (Article 5):

Personal Data

Information related to an identified or identifiable natural person (Art. 5, I).

Sensitive Personal Data

Data concerning racial or ethnic origin, religious conviction, political opinion, membership in trade unions or religious, philosophical, or political organizations, health or sex life data, genetic or biometric data (Art. 5, II).

Data Subject

The natural person to whom the personal data being processed refers (Art. 5, V).

Controller

Natural or legal person, public or private, responsible for decisions regarding the processing of personal data (Art. 5, VI). In this case, Lunas Solucoes Ltda.

Processor

Natural or legal person, public or private, that processes personal data on behalf of the controller (Art. 5, VII).

Data Protection Officer (DPO)

Person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority - ANPD (Art. 5, VIII).

ANPD

Autoridade Nacional de Protecao de Dados (National Data Protection Authority), the public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD (Art. 5, XIX).

Processing

Any operation performed on personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction (Art. 5, X).

4. Data We Collect

In the course of our activities as a digital banking correspondent, we may collect the following categories of personal data:

4.1. Identification Data

• Full name
• CPF (Brazilian Individual Taxpayer Registry number)
• RG (Brazilian ID card) or other identification documents
• Date of birth
• Marital status
• Place of birth

4.2. Contact Data

• Mobile phone number
• Email address
• Full residential address

4.3. Financial and Professional Data

• Monthly income and employment information
• Bank account details (bank, branch, account number, account type, and Pix key)
• Payroll-deductible credit information and available payroll margin
• FGTS (Severance Indemnity Fund) balance and installment information
• Payroll registration and paying agency data (for public servants and INSS beneficiaries)

4.4. Browsing and Technical Data

• IP address (Internet Protocol)
• Browser type and operating system
• Device information
• Pages visited, date, and time of access
• Cookies and similar tracking technologies

4.5. Communication Data

• Messages sent and received via WhatsApp Business
• Records of interactions with our agents and chatbots
• Service recordings and records, when applicable

5. Data Collected via Meta APIs

Through our integration with the Meta Platform (WhatsApp Business API), we collect and process the following data:

5.1. From WhatsApp Business API (whatsapp_business_messaging)

• Phone numbers: the WhatsApp phone number of users who message our business accounts;
• Profile names: the display name set by the user on their WhatsApp profile;
• Message content: text messages, images, documents, audio, and other media sent to or received from our business accounts;
• Message metadata: timestamps, delivery status (sent, delivered, read), and message IDs;
• Conversation context: whether the conversation was initiated by the user or by the business.

5.2. From Business Management API (business_management)

• Business account information: WhatsApp Business account ID, name, and status;
• Phone number details: registered phone numbers, quality ratings, and verification status;
• Message template data: template names, statuses, and categories;
• Account metrics: messaging limits and account quality scores.

6. Purpose of Data Processing

The personal data collected is used for the following purposes:

• Financial product simulation and contracting: performing credit queries, payroll loan simulations, FGTS advance simulations, and other products through partner banks;
• Proposal status communication: informing the data subject about the progress of simulations, proposals, approvals, and contracts;
• Customer service: answering questions, requests, and complaints through our communication channels;
• Service improvement: analyzing the use of our digital channels to enhance user experience and process efficiency;
• Legal and regulatory compliance: meeting requirements of the Central Bank of Brazil, Federal Revenue Service, Ministry of Labor, and other regulatory bodies;
• Fraud prevention: verifying the identity of data subjects and protecting against fraudulent activities;
• WhatsApp Business operations: managing WhatsApp Business accounts, sending service notifications, and facilitating customer conversations through the Meta Platform;
• Marketing and institutional communication: sending information about new products, services, and special conditions, subject to prior consent from the data subject.

7. Legal Basis for Processing

The processing of your personal data is based on the following legal grounds provided by Article 7 of the LGPD:

• Data subject's consent (Art. 7, I): when you voluntarily provide your data for credit simulations, service contracting, or receipt of marketing communications;
• Performance of a contract or pre-contractual procedures (Art. 7, V): for carrying out simulations, credit analyses, and formalization of proposals with partner banks;
• Compliance with legal or regulatory obligation (Art. 7, II): to comply with Central Bank of Brazil regulations, anti-corruption legislation, anti-money laundering requirements, and other legal obligations applicable to banking correspondents;
• Legitimate interest of the controller (Art. 7, IX): for service improvement, fraud prevention, and operational security assurance, always respecting the fundamental rights and freedoms of the data subject.

8. Data Sharing

To provide our services, your personal data may be shared with the following categories of recipients:

• Partner financial institutions: banks and financial companies for which we intermediate credit operations, including the transmission of data necessary for loan simulation, analysis, and contracting;
• Payment processors: companies responsible for processing financial transactions linked to the contracted services;
• Technology service providers: IT infrastructure suppliers, cloud computing services, management systems, and communication tools that assist in operating our services;
• Meta Platforms, Inc. (WhatsApp): as the communication platform used for customer service. Messages and related metadata are processed through Meta's infrastructure, subject to Meta's own privacy policy and data processing terms;
• Regulatory authorities and government agencies: when required by law, court order, or request from agencies such as the Central Bank of Brazil, Federal Revenue Service, Public Prosecutor's Office, or ANPD.

9. Storage and Security

We employ appropriate technical and organizational measures to protect your personal data against unauthorized access, destruction, loss, alteration, or any form of improper processing.

9.1. Technical Measures

• Data encryption in transit (TLS/SSL) and at rest
• Firewalls and intrusion detection systems
• Continuous monitoring of access and suspicious activities
• Regular backups and data redundancy
• Regular software updates and security patches

9.2. Organizational Measures

• Role-based access control (principle of least privilege)
• Regular data protection training for employees
• Internal information security policies
• Confidentiality agreements with employees and service providers

9.3. Retention Period

Your personal data will be retained for the period necessary to fulfill the purposes for which it was collected, subject to applicable legal and regulatory retention periods. Specifically:

• Data related to financial operations: retained for a minimum of 5 (five) years, as required by applicable law;
• Data for legal compliance: retained for the period required by the respective regulation;
• Data collected by consent: retained until consent is revoked or the purpose is fulfilled;
• After the retention period, data will be securely deleted or anonymized.

10. Your Rights (Data Subject Rights)

Under Article 18 of the LGPD, as a data subject, you have the following rights, which may be exercised at any time by contacting our Data Protection Officer:

• Confirmation of processing (Art. 18, I): obtain confirmation that we process your personal data;
• Access to data (Art. 18, II): access the personal data we hold about you;
• Correction of incomplete, inaccurate, or outdated data (Art. 18, III): request correction of personal data that is incorrect or outdated;
• Anonymization, blocking, or deletion of unnecessary data (Art. 18, IV): request anonymization, blocking, or deletion of data processed in violation of the LGPD or that is excessive;
• Data portability (Art. 18, V): request portability of your data to another service or product provider, upon express request, in accordance with ANPD regulations;
• Deletion of data processed by consent (Art. 18, VI): request deletion of personal data processed on the basis of consent, except in cases of retention provided by Art. 16 of the LGPD;
• Information about sharing (Art. 18, VII): obtain information about the public and private entities with which we share data;
• Information about the possibility of not consenting (Art. 18, VIII): be informed about the possibility of not providing consent and the consequences of refusal;
• Revocation of consent (Art. 18, IX): revoke consent at any time by express declaration through the available contact channels.

11. Data Deletion

You have the right to request the deletion of your personal data held by CRM Lunas. To request data deletion, you may use any of the following methods:

• Email: Send a request to privacidade@lunascrm.com.br with the subject line "Data Deletion Request" and include your full name and CPF (or phone number) for identification;
• WhatsApp: Send a message to (11) 5286-2553 requesting the deletion of your data;
• Written request: Mail a written request to our headquarters at R Valdomiro Gonzaga Silva, 158 - Jd das Oliveiras, Sao Paulo - SP, CEP 08111-540, Brazil.

Upon receiving a valid deletion request, we will:

1. Verify your identity to ensure the request is legitimate;
2. Delete or anonymize your personal data from our active systems within 15 (fifteen) business days;
3. Request deletion of your data from any third parties with whom it was shared, where applicable;
4. Confirm the deletion to you via your preferred contact method.

12. Cookies

Our website uses cookies and similar technologies to improve your browsing experience, analyze traffic, and personalize content.

12.1. Types of Cookies Used

• Essential cookies: necessary for the basic functioning of the site, such as authentication and security. These cannot be disabled;
• Performance cookies: collect anonymous information about how visitors use the site (most visited pages, time spent) for improvement purposes;
• Marketing cookies: used to track visitors across different sites and display relevant ads. These include cookies from advertising platforms such as Google Ads and Meta (Facebook Pixel).

12.2. How to Manage Cookies

You can manage your cookie preferences directly in your browser settings. Most browsers allow you to block or delete cookies. However, disabling certain cookies may affect the functionality of our site.

To learn how to manage cookies in major browsers:

• Google Chrome: Settings > Privacy and security > Cookies
• Mozilla Firefox: Settings > Privacy & Security
• Safari: Preferences > Privacy
• Microsoft Edge: Settings > Cookies and site permissions

13. WhatsApp & Communications

Lunas Solucoes uses the WhatsApp Business API platform as its primary customer service and communication channel. The use of this channel involves the following privacy considerations:

13.1. Use of WhatsApp Business API

Our WhatsApp customer service is provided through the official WhatsApp Business API, supplied by Meta Platforms, Inc. Messages are transmitted through Meta's infrastructure and are also subject to Meta's own privacy policy.

13.2. Opt-in and Opt-out

• Opt-in: by initiating a conversation with us on WhatsApp or providing your phone number for contact, you consent to receiving messages related to the services requested;
• Opt-out: you may request to stop receiving messages at any time by sending the word "STOP" or "UNSUBSCRIBE" in reply to any message received, or by contacting us at privacidade@lunascrm.com.br.

13.3. Data Collected via WhatsApp

During WhatsApp interactions, we may collect:

• Phone number and profile name
• Content of messages exchanged (text, images, documents)
• Date and time of interactions
• Personal and financial data voluntarily provided by the data subject during the conversation

14. International Data Transfer

Some of our technology service providers, such as cloud infrastructure providers and communication platforms (including Meta Platforms / WhatsApp), may store or process data on servers located outside Brazil.

In such cases, international data transfers are carried out in compliance with Article 33 of the LGPD, ensuring that recipients provide a level of personal data protection compatible with Brazilian law, through:

• Standard contractual clauses that guarantee adequate data protection;
• Internationally recognized certifications or seals;
• Compliance with global corporate data protection standards.

15. Children

Lunas Solucoes' services are exclusively intended for individuals aged 18 (eighteen) years or older. We do not intentionally collect personal data from children or adolescents.

If we identify that data from minors has been inadvertently collected, we will take the necessary steps for the immediate deletion of such information, in compliance with Article 14 of the LGPD.

If you are the legal guardian of a minor and believe their data has been collected in error, please contact us at privacidade@lunascrm.com.br.

16. Meta Platform Terms Compliance

CRM Lunas operates in compliance with Meta's Platform Terms, including but not limited to:

• Meta Platform Terms: We adhere to Meta's terms of service for developers and businesses using the Meta Platform;
• WhatsApp Business Policy: All messaging through our platform complies with WhatsApp's Business Policy, including requirements for message templates, opt-in, and prohibited content;
• WhatsApp Commerce Policy: Our use of WhatsApp for financial service communications complies with the applicable commerce policies;
• Data Use Restrictions: Data obtained through Meta APIs is used solely for the purposes described in this Privacy Policy and is not shared with third parties for purposes unrelated to our CRM platform's functionality;
• Data Security: We implement appropriate technical and organizational security measures to protect data obtained through Meta APIs, as required by Meta's Platform Terms.

17. Changes to this Policy

This Privacy Policy may be updated periodically to reflect changes in our data processing practices, new legal or regulatory requirements, or improvements to our services.

Changes will be communicated through:

• Publication of the updated version on this same page, with the new update date indicated;
• WhatsApp or email notification, when changes are substantial and directly affect the rights of data subjects;
• A prominent notice on our website, when applicable.

We recommend that you review this Policy periodically to stay informed about how we protect your data.

18. Contact & Data Protection Officer (DPO)

For questions, requests, or complaints related to the processing of your personal data, or to exercise any of the rights provided by the LGPD, please contact our Data Protection Officer (DPO):

This Privacy Policy was prepared in compliance with Brazil's General Data Protection Law (Lei Geral de Protecao de Dados Pessoais - Law 13,709/2018), the Brazilian Internet Civil Framework (Marco Civil da Internet - Law 12,965/2014), Central Bank Resolution CMN 4,935/2021 (banking correspondents), and Meta Platform Terms.