1. Introduction

Magnet Customer Software Ltda. ("Magnet Customer", "we" or "our"), a private legal entity registered under CNPJ 52.678.731/0001-94, headquartered at Avenida Afonso Pena, 2440, Suite 62, Centro, Campo Grande/MS, Brazil, ZIP 79.002-934, operates the CRM and IRM (Investor Relationship Management) platform for the Brazilian financial market. We are committed to protecting the privacy and personal data of our customers, users, and visitors. This Privacy Policy describes how we collect, use, store, and protect your personal information in compliance with the Brazilian General Data Protection Law (LGPD — Federal Law No. 13,709/2018) and other applicable legislation.

2. Data we collect

We collect different categories of data depending on your relationship with Magnet Customer:

Personal identification data: full name, professional email address, phone number, job title, and company
Platform usage data: access logs, pages visited, features used, session duration, actions performed in the interface
Technical data: IP address, browser type and version, device, operating system, time zone
Communication data: messages sent via contact forms, email, support chat, or demo requests
Clients' customer financial data: when our clients use integrations with custodians (BTG Pactual, Safra, XP Investimentos, and others), investor portfolio information is processed under the exclusive control of the client — Magnet Customer acts as a data processor in this context, pursuant to art. 37 of the LGPD
Cookie and analytics data: via Google Analytics (with consent) for behavioral analysis on the institutional website

3. Purpose of processing

We use your personal data for the following purposes:

Service delivery: provisioning, operation, and maintenance of the SaaS platform
Communication and support: answering inquiries, processing demo requests, sending technical and security notifications
Product improvement: usage analysis, issue identification, development of new features
Marketing communications (with consent): newsletters, educational materials, product updates — you can unsubscribe at any time
Billing and invoicing: invoice issuance, payment control, fraud prevention
Compliance with legal obligations: responding to judicial requests, regulatory authorities (CVM, BACEN, Receita Federal), and tax obligations

4. Legal basis (LGPD)

All data processing by Magnet Customer has an express legal basis under the LGPD (art. 7 and art. 11), including:

Consent (art. 7, I): for marketing communications and non-essential cookies
Contract performance (art. 7, V): for providing services contracted by the client
Legitimate interest (art. 7, IX): for product usage analysis, security, fraud prevention, and continuous improvement
Legal obligation (art. 7, II): for responding to competent authorities and fulfilling tax obligations

5. Data sharing

We do not sell, lease, or commercialize your personal data. We may share data in the following circumstances:

Infrastructure sub-processors: Amazon Web Services (AWS) — hosting in the São Paulo region (sa-east-1) — and Google Cloud Platform for analytics and auxiliary storage
Communication providers: SendGrid (transactional emails), with data protection contractual clauses
Financial integrations authorized by the client: BTG Pactual, Safra, XP Investimentos, and other custodians are engaged exclusively under the instruction and authorization of the contracting client
Legal requests: when required by law, court order, or competent regulatory authority, following prior legal analysis
Corporate transactions: in the event of merger, acquisition, or asset sale, with prior notice to data subjects

6. Data security

We adopt robust technical and organizational measures to protect your data against unauthorized access, loss, alteration, or destruction:

Encryption in transit: TLS 1.2+ on all communications between client and server
Encryption at rest: data stored with AES-256 encryption in MongoDB and in AWS S3 backups
Multi-tenant isolation: each client has an isolated database or segregated collections, ensuring data from different organizations never mixes
Access control: authentication via Keycloak (OAuth 2.0 / OpenID Connect), granular RBAC, and audit trail of all operations
Automated backups: daily backups with 30-day retention, periodically tested to ensure restorability
Monitoring and alerts: anomaly detection, centralized logs, and 24/7 incident response

7. Data retention

We retain your personal data for as long as necessary to fulfill the purposes described in this policy and applicable legal obligations:

Active account data: retained for the entire duration of the service contract
Data after termination: retained for up to 90 days to enable export, then securely deleted, unless a longer retention is legally required
Access logs: as required by the Brazilian Internet Civil Rights Framework (Law 12,965/2014), for a minimum of 6 months
Fiscal and accounting data: as required by applicable tax legislation (generally 5 years)

8. Your rights (LGPD)

Under arts. 17 to 22 of the LGPD, you have the following rights regarding your personal data, which can be exercised at any time:

Confirmation and access: know whether we process your data and obtain a copy
Correction: update incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion: of unnecessary, excessive, or non-compliant data
Portability: receive your data in a structured and interoperable format
Information about sharing: know with whom we share your data
Consent revocation: withdraw consent at any time without affecting the lawfulness of prior processing
Right to object: if you disagree with processing based on legitimate interest

9. Cookies

Our website uses cookies and similar technologies. You can manage your preferences through the cookie banner displayed on first access:

Essential cookies: necessary for the basic functioning of the site (authentication, security, language preferences) — cannot be disabled
Analytics cookies: collected via Google Analytics to understand visitor behavior and improve the site — require your consent
Preference cookies: store custom settings to improve your experience — require your consent
To disable cookies, access your browser settings or click "Manage cookies" in the site footer

10. International data transfers

Some of our sub-processors (AWS, Google) may process data on servers located outside Brazil. In such cases, we ensure transfers occur with adequate safeguards as provided by the LGPD (art. 33), including standard contractual clauses that ensure a level of protection equivalent to that required by Brazilian legislation.

11. Changes to this policy

We may update this Privacy Policy periodically. Significant changes will be communicated by email (to active clients) and through a prominent notice on our website, with a minimum of 15 days notice. The effective date at the top of this page will always reflect the most recent version. Continued use of the platform after the effective date of changes constitutes agreement to the updated terms.

12. Data Protection Officer (DPO) and Contact

To exercise your rights, clarify questions, or report incidents related to personal data processing, please contact our Data Protection Officer (DPO):

Email: privacidade@magnetcustomer.com
Company: Magnet Customer Software Ltda. — CNPJ: 52.678.731/0001-94
Headquarters: Av. Afonso Pena, 2440, Suite 62, Centro, Campo Grande/MS, Brazil, ZIP 79.002-934
Jurisdiction: Court of Campo Grande/MS, elected to resolve any disputes arising from this policy