Legal Document

Privacy Policy

Last updated: January 24, 2026
Back

1. Introduction and Principles

Alba Invest (Alba Plataforma de Investimentos Alternativos Ltda., Tax ID 43.413.213/0001-58) recognises the importance of privacy and personal data protection. This Privacy Policy establishes the guidelines for the collection, use, storage, and protection of information, in strict compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) and other applicable legislation.

Our commitment is based on the following principles:

  • Purpose: we collect data only for specific and legitimate purposes;
  • Adequacy: we limit processing to what is necessary for those purposes;
  • Necessity: we collect only essential data for service delivery;
  • Transparency: we clearly inform users about data usage;
  • Security: we implement robust protection measures;
  • Prevention: we adopt safeguards to prevent damage to data subjects.

2. Personal Data We Collect

2.1. Identification Data

  • Full name;
  • Brazilian individual or corporate taxpayer number;
  • Date of birth;
  • Nationality and place of birth;
  • Mother’s name;
  • Identity document details (RG, driver’s licence, passport) and issuing authority;
  • Photo for biometric verification, when applicable.

2.2. Contact Data

  • Primary and secondary email address;
  • Landline and mobile phone numbers;
  • Full residential address;
  • Business address, when applicable.

2.3. Financial and Asset Data

  • Gross and net monthly income;
  • Estimated net worth;
  • Source of funds;
  • Bank account details;
  • Transaction and investment history;
  • Bank statements and supporting documentation for validation;
  • Tax return and other fiscal documents.

2.4. Profile and Suitability Data

  • Responses to the suitability questionnaire;
  • Investor profile classification;
  • Investment objectives;
  • Investment time horizon;
  • Risk tolerance;
  • Knowledge and experience in investments;
  • Investment history on the platform.

2.5. Browsing and Technical Data

  • IP address and approximate geolocation;
  • Browser type and version;
  • Operating system and device used;
  • Cookies and session identifiers;
  • Access logs (date, time, pages visited);
  • Behavioural patterns on the platform;
  • Mobile device identifiers.

3. Purposes of Processing

3.1. Service Delivery

  • Registration and account opening on the platform;
  • Identity verification (KYC - Know Your Customer);
  • Processing of investment transactions;
  • Custody and registration of securities;
  • Periodic reporting and account servicing;
  • Customer support and technical assistance.

3.2. Compliance with Legal and Regulatory Obligations

  • Compliance with CVM requirements under Resolution No. 88/2022;
  • Prevention of money laundering;
  • Combating terrorist financing;
  • Compliance with tax and fiscal obligations;
  • Response to judicial or administrative orders;
  • Sharing with regulators and supervisory authorities.

3.3. Protection and Security

  • Fraud prevention and detection;
  • Protection against unauthorised access;
  • Credit and operational risk analysis;
  • Investigation of suspicious activity;
  • Information security and cybersecurity.

3.4. Service Improvement

  • Statistical analysis of platform usage;
  • Personalisation of user experience;
  • Development of new features;
  • Satisfaction surveys and feedback collection;
  • A/B testing and interface optimisation.

4. Legal Bases for Processing

Personal data processing is carried out on the following legal bases:

  • Performance of a contract: for registration, investment operations, and contracted services;
  • Compliance with legal obligations: to meet requirements imposed by CVM, the Central Bank, tax authorities, and other public bodies;
  • Legitimate interest: for fraud prevention, information security, credit protection, and service improvement;
  • Consent: for marketing communications, newsletters, and sharing with strategic partners when applicable;
  • Exercise of rights in legal proceedings: for defence in administrative or judicial proceedings.

5. Data Sharing

5.1. Who We May Share Data With

  • Regulatory Authorities: CVM, Central Bank, tax authorities, and other competent bodies;
  • Financial Institutions: banks, brokers, registrars, and custodians involved in transaction processing and custody;
  • Issuing Companies: for investor records and communications regarding invested offerings;
  • Service Providers: technology, cloud, analytics, collection, and support providers, under strict confidentiality obligations;
  • Judicial Authorities: in response to court orders or official investigations;
  • Credit Information Systems: for credit protection and risk analysis.

5.2. International Transfers

Some of our service providers may be located outside Brazil. Whenever necessary, we only carry out international transfers to countries or organisations offering an adequate level of protection, or under appropriate contractual safeguards in accordance with the LGPD.

6. Data Retention and Deletion

6.1. Retention Periods

  • Registration data: while the account remains active, plus 5 years after closure;
  • Financial transaction data: 10 years, as required by CVM and tax legislation;
  • AML records: 20 years, when required by applicable regulation;
  • Browsing data: from 6 months to 2 years, depending on purpose;
  • Marketing communications: until consent is withdrawn.

6.2. Data Deletion

After the applicable legal retention periods expire, data is securely and irreversibly deleted using appropriate technical methods.

7. Data Subject Rights

Under the LGPD, you have the following rights regarding your personal data:

  • Confirmation of processing: know whether we process your data;
  • Access: obtain a readable copy of your data;
  • Correction: rectify incomplete, inaccurate, or outdated data;
  • Anonymisation, blocking, or deletion: request such measures when data is unnecessary, excessive, or unlawfully processed;
  • Portability: receive your data in a structured format for transfer to another controller;
  • Deletion of consent-based data: request deletion of data processed based on consent;
  • Withdrawal of consent: revoke consent at any time;
  • Information on sharing: know with whom your data has been shared;
  • Information on the consequences of non-consent: understand the consequences of refusing consent;
  • Review of automated decisions: request human review of automated decisions affecting your interests.

7.1. How to Exercise Your Rights

You may exercise your rights through the following channels:

  • DPO email: privacidade@albainvest.com.br
  • Logged-in area: privacy settings available on the platform;
  • Mail: R. Rio Grande do Norte, 1435, Sala 708, Savassi, Belo Horizonte/MG, ZIP 30.130-138, Brazil.

We will respond within 15 days and may extend this period for an additional 15 days when justified, in accordance with the LGPD.

8. Information Security

8.1. Technical Measures

  • Encryption of sensitive data in transit and at rest;
  • Firewalls, intrusion detection, and DDoS protection;
  • Multi-factor authentication for platform access;
  • Continuous monitoring and vulnerability analysis;
  • Encrypted backups and data redundancy.

8.2. Organisational Measures

  • Information security policy and data classification;
  • Regular employee training on privacy and security;
  • Access control based on need-to-know principles;
  • Confidentiality agreements with employees and providers;
  • Security incident response plan.

8.3. In the Event of Incidents

If a security incident may result in relevant risk or damage to data subjects, we will:

  • Notify the Brazilian data protection authority when legally required;
  • Notify affected data subjects when necessary, in a timely manner;
  • Adopt appropriate corrective and preventive measures.

9. Cookies and Similar Technologies

We use cookies and tracking technologies to improve the user experience. For detailed information regarding cookie categories, purposes, and control options, please consult our Cookie Policy.

10. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Such changes become effective on the publication date shown on the platform.

We will notify users of material changes through:

  • Email sent to the registered address, with reasonable notice whenever applicable;
  • A highlighted notice on the login area of the platform;
  • Push notification, when enabled;
  • Publication in the legal documents section.

11. Data Protection Officer

The Data Protection Officer is responsible for:

  • Handling data subject requests and complaints;
  • Guiding the company on data protection practices;
  • Communicating with the Brazilian data protection authority;
  • Receiving notices and communications from supervisory authorities.

DPO contact details:

  • Email: privacidade@albainvest.com.br
  • Address: R. Rio Grande do Norte, 1435, Sala 708, Savassi, Belo Horizonte/MG, ZIP 30.130-138, Brazil
  • Business hours: Monday to Friday, from 9 AM to 6 PM (except holidays).
Alba Plataforma de Investimentos Alternativos Ltda. — Tax ID 43.413.213/0001-58 — Electronic participatory investment platform authorised by the Brazilian Securities and Exchange Commission (CVM) pursuant to CVM Resolution No. 88/2022.