DePix App Privacy Policy
Last updated: June 7, 2026
1. Overview
This Privacy Policy describes how DePix App ("we", "Platform") collects, uses, shares and protects personal data, in compliance with Brazil's General Data Protection Law (Law No. 13,709/2018 — LGPD). It applies to use of the website depixapp.com, the web application (PWA) and the integrated wallet.
This Policy forms part of the Terms of Use. By using the Platform, you acknowledge the practices described here.
2. Who controls the data — roles
DePix App is interface software that controls only the minimum set of data needed for it to function (described in Section 5) — it does not control the User's financial-identification data.
Identification (KYC) data, including CPF and banking data, as well as the financial-operation data, are collected and controlled by the Partners, which act as autonomous controllers for their own purposes and regulatory obligations:
- Eulen (depix.info), the issuer of DePix, with respect to the data needed to issue and redeem the asset;
- the Banking Partners — Plebit — Plebit.com.br Soluções em Tecnologia Ltda. (CNPJ No. 43.375.652/0001-13) (plebit.com.br) and Plebz — Plebz Intermediação de Pagamentos Ltda. (CNPJ No. 45.808.899/0001-01) (plebz.com.br) — with respect to Pix processing, bank settlement, customer identification (KYC), AML/CFT and reporting obligations, for which they hold the regulatory authorizations.
In short: DePix App is the controller of the data described in Section 5; the Partners are independent controllers of the data they collect directly. Each third party processes data under its own privacy policy, which we recommend you read.
3. Data-subject channel
To exercise your rights or ask questions about the processing of your personal data, use the channel suporte@depixapp.com.
4. Principles
We process personal data in accordance with the LGPD principles, in particular purpose, adequacy, necessity (minimization), transparency, security, prevention and non-discrimination.
5. Data we collect
5.1. Data you provide
- Registration: name, e-mail address, WhatsApp contact, username and password (stored only in encrypted/hashed form).
- Merchant account: the establishment's CNPJ and website, where applicable.
- Support: the content of the messages you send us.
5.2. Operational data
- public Liquid Network addresses (deposit and wallet addresses);
- destination Pix keys provided for withdrawals;
- amounts, dates, identifiers and status of operations;
- where applicable, the Liquid transaction identifier (txid) recorded after broadcast, used for reconciliation and support.
5.3. Technical data
- IP address, device identifier, browser type, and access and log data;
- data collected by the anti-automation/bot-protection mechanism (Cloudflare Turnstile) on the registration and login screens.
5.4. Wallet data
The Wallet is non-custodial. We collect only the public addresses needed for it to function. See Section 6 for what we never collect.
5.5. Wallet telemetry
We may collect aggregated events about how the Wallet works (for example, wallet creation or load failures), without direct identification of the data subject — without any user identifier, IP, balances or addresses — and we do not link them to your account or intentionally combine them with other data to re-identify you. This telemetry relates exclusively to the Wallet and is distinct from the technical data (Section 5.3) — such as IP and device identifier — which is personal data processed for security and fraud prevention (Section 8).
5.6. Identification data (KYC) collected by the Partners
Identification of the holder (including the CPF or CNPJ and bank data linked to Pix) is collected and processed by the Banking Partners, as part of their KYC and AML/CFT obligations, and not directly by the Platform.
6. Data we do NOT collect
Because of the self-custody model, we never collect, transmit or store:
- the seed (recovery phrase), the PIN or the Wallet's private keys — these remain exclusively on your device;
- passwords in plain text;
- the end payer's banking or card data;
- sensitive personal data (Art. 11 of the LGPD).
7. Purposes of processing
We use the data to: enable registration and authentication; carry out and reconcile operations; provide support; prevent fraud and ensure security; comply with legal and regulatory obligations (directly or through the Partners); improve the Platform; and, with consent, send communications.
8. Legal bases
Processing is based on Art. 7 of the LGPD, according to the purpose:
| Purpose | Main data | Legal basis |
|---|---|---|
| Registration, authentication and carrying out operations | name, e-mail, username, addresses, Pix key, operation data | performance of a contract (Art. 7, V) |
| Compliance with legal and reporting obligations (by the Partners) | operation data; identification within the Partners' sphere | legal/regulatory obligation (Art. 7, II) |
| Security and fraud prevention | IP, device identifier, logs, risk signals | legitimate interest (Art. 7, IX) |
| Marketing communications | e-mail, contact | consent (Art. 7, I), revocable |
For processing based on legitimate interest, we carry out a balancing/proportionality assessment (LIA) and adopt safeguards to preserve your rights. This legitimate interest is limited to protecting the Platform and users against fraud, abuse and malicious automation; you may object to this processing (Art. 18, §2) through the channel in Section 3. The retention periods for each category are set out in Section 13.
9. Data sharing
We do not sell your personal data. We may share it, to the extent necessary, with:
- Eulen, with whom we share the operational data needed for issuance and redemption (for example, destination address and amount);
- the Banking Partners (Plebit, Plebz), which collect directly from the User and process the Pix, KYC, AML/CFT and reporting data, within their authorizations;
- infrastructure providers, solely to operate the Platform — for example, hosting and functions (Vercel), database (Turso), aggregated telemetry (Upstash), public blockchain indexing (Blockstream Esplora) and price quotation (external provider);
- competent authorities, where required by law or by a judicial/administrative order, including for reporting to the Federal Revenue Service (under the applicable tax legislation) and for reporting suspicious operations to COAF, carried out by the Partners, in which case the User may not be notified, owing to confidentiality duties.
10. Blockchain and public data
Transactions on the Liquid Network are recorded on a blockchain. Although Liquid uses Confidential Transactions (which hide amounts), addresses and the fact of a transaction may be public and immutable, and cannot be deleted. Correlating addresses with the holder's identity is, in theory, possible for anyone holding sufficient data (for example, authorities in possession of the Partners' records). We recommend good security practices in the use of addresses.
11. Cookies and local storage
We use cookies and local-storage technologies (such as localStorage and IndexedDB) strictly necessary for functioning and security — for example, session maintenance, preferences, addresses and the encrypted storage of the Wallet on the device. You can manage cookies in your browser settings, bearing in mind that some are essential.
12. International transfer
Some infrastructure providers may process data outside Brazil — for example, hosting and functions (Vercel), database (Turso) and aggregated telemetry (Upstash), typically on servers in the United States, and anti-automation protection (Cloudflare). In such cases, under the LGPD (Art. 33), we rely on the contractual guarantees offered by these providers (including data-protection clauses set out in their contracts/DPAs) and on security measures (encryption, access control), seeking an adequate level of protection.
13. Retention and deletion
We retain personal data only for as long as necessary for the purposes and to comply with legal obligations. As an indication:
- registration data: while the account is active and for up to 5 years after closure, owing to limitation periods (Art. 206 of the Civil Code) and possible defense;
- access logs: at least 6 months (Art. 15 of the Brazilian Civil Rights Framework for the Internet);
- operation records: for the applicable legal periods (as a rule, tax and crime-prevention periods, fulfilled within the Partners' sphere);
- data processed with consent: until withdrawal.
Once a deletion request ("right to be forgotten") is honored, we delete or anonymize the data under our control, except where mandatory retention applies; anonymous, aggregated telemetry data does not allow identification and may be retained. Public data already recorded on a blockchain cannot be deleted.
14. Security
We adopt technical and organizational measures to protect data, including encryption in transit (TLS/HTTPS), encryption at rest in the database, encrypted storage of the Wallet on the device (AES-GCM, with key derivation via Argon2id from the PIN), access control and audit logging. No system is completely secure, and we cannot guarantee absolute protection against unauthorized access.
In the event of a security incident that may give rise to relevant risk or harm to data subjects, we will notify those affected and the National Data Protection Authority (ANPD), as set out in Art. 48 of the LGPD.
15. Your rights
Under Art. 18 of the LGPD, you may request: confirmation that processing exists; access; correction; anonymization, blocking or deletion of unnecessary data or data processed in non-compliance; portability; information about sharing; objection to processing based on legitimate interest (Art. 18, §2); information about the option not to consent; and withdrawal of consent. Requests may be made through the channel indicated in Section 3 and will be handled within the legal timeframes. You may also petition the National Data Protection Authority (ANPD).
16. Automated decisions
Blocking, return and MED measures are decided and carried out by the Partners, within the Pix and issuance spheres. Within DePix App, automated security and fraud-prevention rules may be applied (for example, limiting attempts and identifying risk signals), which do not constitute a decision on the legality of the operation. Where an automated decision affects your interests, you may request a review through the channel in Section 3, under Art. 20 of the LGPD.
17. Children's privacy
The Platform is not intended for individuals under 18, and we do not knowingly collect data from minors. Age verification is by self-declaration, since identification (KYC) is carried out by the Partners. If processing of a minor's data is identified, we will delete it.
18. Changes to this Policy
This Policy may be updated at any time, indicating the date of update. Material changes may be communicated through available channels. Continued use after publication constitutes awareness of the current version.
19. Contact
To exercise your rights or ask questions about privacy, use suporte@depixapp.com or the application's support channels.