1. Who We Are

1.1 Company Information

Bullet is a trademark owned by BULLET PAYMENTS AND FINANCIAL SERVICES LTD., a limited liability company headquartered in Vancouver, British Columbia – BC, located at 578-2912 WEST BROADWAY, Postal Code V6K0E9, Canada, registered under number BC1506717, and the controlling entity responsible for processing your personal data. The Bullet platform is available exclusively through the URL: https://bullet.cash.

MSB Registration: C100000796 (FINTRAC – Canada)

1.2 Policy Amendments

Bullet may amend this Privacy Policy at any time. If changes occur, you will be notified by email and/or through a notice in our App. If you do not agree with the changes, you must stop accessing the website and using Bullet's services. Continued access constitutes acceptance of updated terms.

1.3 Data Protection Officer

Data Protection Officer (DPO) / Privacy Officer: Name: Victor Araujo

The DPO/Privacy Officer is responsible for:

  • Ensuring compliance with PIPEDA (Canada) and LGPD (Brazil)
  • Receiving and responding to privacy inquiries and complaints
  • Communicating with the ANPD (Brazil) and the Office of the Privacy Commissioner of Canada
  • Advising on data protection practices

For privacy-related matters: [email protected]

2. How Does Registration on Bullet Work?

2.1 Data Collection for Registration

Bullet collects the personal data necessary, as listed below, to properly provide its functionalities and comply with legal obligations. By registering and using the Services, you provide Bullet with personal data, which will be processed in accordance with this Privacy Policy.

2.2 Age Restriction

Users under eighteen (18) years of age must not use Bullet. If Bullet becomes aware of registrations made by minors, their personal data will be deleted from databases and accounts will be canceled.

3. What Personal Data Is Collected?

3.1 Categories of Personal Data

(a) Basic Registration Data

You voluntarily submit and expressly authorize Bullet to collect and process:

  • Full name
  • Tax identification number (CPF/SIN)
  • Email address
  • Phone number
  • Date of birth
  • Full address

(b) Data for Additional Services and Regulatory Compliance

Additional personal data may be required, such as:

  • Copy of driver's license, ID card, or other identification document
  • Proof of address
  • User photo (selfie)
  • Proof of income and tax returns, including income tax declaration
  • Other data and documents required by authorities and regulatory bodies

(c) Banking and Financial Transaction Data

To enable financial transactions, Bullet may request:

  • Proof of relationship with financial institutions
  • Identification of financial institutions, branches, and bank accounts
  • PIX transfer keys
  • Other data necessary to carry out transactions

(d) Promotional Data

For participation in exclusive promotions offered by Bullet, including platform nickname data.

3.2 Accuracy of Information

Bullet is not responsible for the accuracy, untruthfulness, or outdatedness of the information you provide, but we commit to correcting it upon request, as required by law.

3.3 Third-Party Websites

This Policy does not apply when you click on a link and are redirected to third-party websites, Bullet partners. Review third-party privacy policies before providing personal data.

4. What Technical Data Is Collected?

4.1 Technical Information Authorization

You authorize the collection of the following technical information:

  • Access IP address
  • Access time
  • Date and time of access
  • Device type
  • Pages visited
  • Language used
  • Your location
  • Roaming tracking
  • Software crash reports
  • Browser type

4.2 Anonymized Data Usage

We use anonymized personal data to produce statistics, studies, research, project planning and surveys relevant to Bullet's services and user behavior. Anonymized data is also used to manage risks and detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities.

4.3 Marketing Communications

For promotional purposes of Bullet's products and services, you may choose, at registration, to authorize or not the use of your data for this purpose, ensuring that your consent is given freely, informedly, and unequivocally. Opt-out is available at any time by contacting Bullet.

4.4 Service Notifications

You also authorize Bullet to use your preferences to notify you of new services that may be of interest to you.

5. Purpose of Data Processing

5.1 Legal Basis Foundation

When you contract Bullet, you provide the personal data necessary to enable the operation and provision of Services. We also collect data to comply with legal obligations, based on your consent, and to meet Bullet's legitimate interests.

5.2 Legal Bases for Data Processing

In accordance with LGPD (Law 13.709/2018, Art. 7) and PIPEDA:

(a) Performance of a Contract (Art. 7, V LGPD)

Data used for:

  • Processing financial transactions
  • Managing your account
  • Providing the contracted services
  • Billing

(b) Compliance with Legal or Regulatory Obligation (Art. 7, II LGPD)

Data used for:

  • Compliance with FINTRAC (Canada), Central Bank of Brazil, COAF
  • Identity verification (KYC)
  • Anti-money laundering and counter-terrorism financing (AML/CTF)
  • Retention of records for 5 years
  • Compliance with court orders

(c) Legitimate Interest (Art. 7, IX LGPD)

Data used for:

  • Fraud prevention and detection
  • System and transaction security
  • Risk analysis
  • Product and service improvement

You may object to processing based on legitimate interest.

(d) Consent (Art. 7, I LGPD)

Data used for:

  • Marketing communications
  • Sharing with non-essential business partners
  • Non-essential cookies

You may withdraw consent at any time.

5.3 Purpose Change Notification

Whenever the purpose of processing changes in a manner incompatible with the original consent, you will be informed in advance and may revoke your consent if you disagree. Bullet only processes personal data when there is a legal basis to do so.

5.4 Primary Data Usage Purposes

The data listed in item 3 is used by Bullet exclusively to:

  • Identify you and validate the data provided
  • Enable financial transactions between you and Bullet
  • Include your data in Bullet's services/products
  • Provide the service properly
  • Billing
  • Contact you to address requests and inquiries
  • Assess whether you are over 18 years of age and eligible to use Bullet
  • Contact you about Bullet's services and third-party services that may be of interest

5.5 Data Processing for Enhanced Services

The data listed in items 3 and 4, including payment and financial transaction data, are used exclusively to: improve your user experience; validate your identity, ensure security, conduct risk and fraud analyses; comply with regulatory obligations, including customer identification and prevention of money laundering or terrorist financing; fulfill Bullet's legitimate interests in delivering its services.

5.6 Consent-Based Activities

In addition to the purposes and legal bases described above, certain activities will only be carried out with your consent, such as promotion of Bullet's products and services and those of third parties.

5.7 Processing Termination

Processing will be carried out in accordance with the law and will end when: the purpose is fulfilled or no longer necessary; the processing period has ended; you request its termination; required by competent authorities.

5.8 Data Storage and Usage During Processing

While processing is ongoing, all personal data provided to Bullet: will be stored in a secure database with controlled access restricted to authorized personnel subject to confidentiality obligations; will be used exclusively for the purposes for which you consented or were informed; will comply with applicable legal requirements.

6. Sharing of Personal Data

6.1 Financial Transaction Sharing

To carry out financial transactions with banks and payment service providers, Bullet may share data and retain transaction records.

6.2 Regulatory Authority Sharing

Bullet may also share data to comply with requirements from public and/or regulatory authorities, including: Canada: FINTRAC (Financial Transactions and Reports Analysis Centre of Canada), Office of the Privacy Commissioner of Canada, judicial and law enforcement authorities.

As a registered Money Service Business (MSB), Bullet is legally required to report certain transactions and maintain records. Data may be shared with third parties to enforce terms of use or contracts, in line with legitimate interest.

6.3 Service Provider Sharing

Bullet may share personal data with service partners to enable contracted services, such as:

  • Cloud hosting and infrastructure providers
  • Identity verification and KYC service providers
  • Payment processors and financial institutions
  • Fraud prevention and security services
  • Communication service providers

All service providers are contractually required to maintain confidentiality and use data only for specified purposes.

6.4 Partner Notification of Data Requests

If you request correction, deletion, anonymization, blocking of data, or withdrawal of consent, we will inform our partner companies with whom your personal data has been shared so that they may take the requested actions.

7. Data Subject Rights

7.1 Rights Available

As the owner of your personal data, you may, at any time and upon written request:

  • Confirm the existence of processing
  • Access your data
  • Correct incomplete, inaccurate, or outdated data
  • Anonymize, block, or delete unnecessary, excessive, or unlawfully processed data
  • Transfer your personal data to another service provider
  • Delete personal data processed with your consent
  • Obtain information about public and private entities with whom we share data
  • Obtain information about the possibility of refusing consent and the consequences
  • Revoke consent for processing personal data

7.2 Exercise of Rights Procedures

To exercise any of your rights, contact: [email protected]

Response Time:

  • Brazil Users: 15 calendar days (LGPD Art. 18, §1)
  • Canada Users: 30 days (PIPEDA)

Identification Required: To protect your privacy, we require proof of identity (government-issued photo ID) before handling access, correction, or deletion requests.

Cost: Most requests are processed at no cost. For extensive or repetitive requests, Bullet may charge a minimal fee to cover costs and will inform you in advance.

Format of Response: Information will be provided in a comprehensible format (PDF or another requested format).

7.3 Limitations on Rights Exercise

There may be cases in which your request cannot be fulfilled (for example, we may retain and use data processed with consent as permitted by law). In such cases, you will be informed of the reason and provided with the relevant contact information.

Bullet cannot comply with requests when:

  • Data is necessary to comply with a legal obligation (e.g., 5-year retention for FINTRAC)
  • Data is necessary for the regular exercise of rights in judicial proceedings
  • Data is protected by professional secrecy
  • Deletion would be impossible or require disproportionate efforts (LGPD Art. 18, §3)

7.4 Account Closure and Communications Retention

If you wish to exercise any of the above rights, or in case of questions, suggestions, or complaints, contact us at [email protected]. Your account will be closed after your data is deleted. Bullet will retain communications as required by public authorities or competent bodies, including for legal defense purposes.

8. Retention of Personal Information

Bullet retains personal information only for the time necessary to fulfill the purposes for which it was collected, comply with legal/regulatory obligations, and preserve rights in judicial or administrative proceedings. The retention periods below comply with applicable laws in Canada (PIPEDA, FINTRAC) and Brazil (LGPD, Central Bank, COAF).

8(a) Transaction and Financial Records

Duration: Minimum of 5 years

Legal Requirement: FINTRAC regulations (Canada) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and, in Brazil, Resolution BCB No. 277/2023, Circular BCB No. 3.978/2020, and Law No. 9.613/1998 (Art. 10, I) require MSBs and financial institutions to retain transaction records, KYC documents, and AML/CTF records for at least 5 years from the date of the transaction or termination of the relationship.

8(b) Account Information

Duration: Duration of relationship + 5 years

Purpose: Contract performance and legal defense in compliance with FINTRAC obligations.

8(c) Marketing Consent

Duration: Until consent is withdrawn

After withdrawal, Bullet will immediately stop marketing communications and suppress your contact information.

8(d) Security Logs

Duration: 12 months

Purpose: Security incident investigations.

8(e) Anonymized Data

Duration: Indefinitely

Anonymized data is no longer considered personal information under PIPEDA and LGPD (Art. 12).

Secure Destruction

After the retention period ends, we securely and permanently destroy personal information through secure deletion or physical destruction, unless longer retention is required by law.

9. Security Measures to Protect the User

9.1 Technical and Organizational Measures

Bullet will always take appropriate technical and organizational measures to protect your personal data to the greatest extent possible. Various industry-standard security measures are adopted to protect your information, which is stored in a secure and confidential database.

Technical Measures:

  • Access Controls: Multi-factor authentication for administrative access; role-based access control
  • Network Security: Firewalls, intrusion detection/prevention systems, 24/7 monitoring

Organizational Measures:

  • Confidentiality Obligations: All employees and contractors sign NDAs
  • Security Training: Mandatory privacy and security training for all staff
  • Vendor Management: Data processing agreements with all service providers requiring protection equivalent to PIPEDA and LGPD

9.2 Account Credentials Responsibility

Your account will be protected by credentials chosen by you so that only you can access your personal information and Bullet account. Because the password is confidential, Bullet advises you to keep it safe and never share it, ensuring access is exclusively yours. You acknowledge that you are solely responsible for managing your access credentials.

9.3 User Security Responsibilities

Use strong passwords and avoid accessing your account on third-party devices or public networks. Bullet will never request your password or access PIN, nor will it send executable files for download. Bullet cannot be held responsible for unauthorized access resulting from user negligence.

9.4 Device and Network Security

The operation and security of the devices and networks you use to access our Services are your sole responsibility. To ensure a secure environment, we recommend taking reasonable security precautions (such as using antivirus software, in addition to measures suggested by device manufacturers and software providers). If you suspect your personal data is at risk, contact support channels for assistance.

10. Security Safeguard Breach — Notification

In accordance with Section 10.1 of PIPEDA (Canada) and Article 48 of the LGPD (Brazil), if a security safeguards breach occurs that creates a real risk of significant harm to individuals, Bullet will:

10(a) Individual Notification

Notify affected individuals as soon as possible, including:

  • Description of the breach and personal information involved
  • Date or period of the breach
  • Steps we took to mitigate the risk and prevent future breaches
  • Steps you can take to reduce risk
  • Contact information for inquiries

10(b) Authority Notification

Report the breach to the Office of the Privacy Commissioner of Canada (OPC) and the Brazilian National Data Protection Authority (ANPD):

  • ANPD (Brazil): Notification within a reasonable period, up to 2 business days from awareness of the incident (Art. 48 LGPD)
  • OPC (Canada): Notification as soon as feasible (PIPEDA s. 10.1)

10(c) Third-Party Organization Notification

Notify other organizations if they may help reduce the risk of harm.

Risk Definition

"Real risk of significant harm" includes risks such as: bodily harm, humiliation, damage to reputation, financial loss, identity theft, or negative effects on credit records.

Recordkeeping

We maintain records of all breaches for 24 months, available to the Office of the Privacy Commissioner and ANPD upon request.

Breach Reporting

If you suspect a security breach, contact [email protected] immediately.

11. Compliance with FINTRAC and Anti-Money-Laundering Regulations

As a registered Money Service Business (MSB) in Canada, Bullet is subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and FINTRAC regulations.

Legal Obligations

(a) Identity Verification

We must verify the customer's identity using government-issued identification before providing services (Know Your Customer/KYC requirement).

(b) Record Retention

We must retain records for at least 5 years, including identity verification records, transaction records, and correspondence.

(c) Transaction Reporting

We are required to report certain transactions to FINTRAC without your knowledge or consent:

  • Large Cash Transactions (CAD $10,000 or more in cash)
  • Suspicious Transactions (any amount related to money laundering or terrorist financing)
  • International Electronic Funds Transfers (CAD $10,000 or more)

Information Reported: When required to file a report, we disclose your identifying information, account information, and transaction details to FINTRAC.

Consequences of Non-Compliance: If you do not provide the information required for FINTRAC compliance, we may be unable to open an account or process certain transactions.

For more information: www.fintrac-canafe.gc.ca

12. Cookies and Tracking Technologies

Bullet uses cookies and similar technologies to ensure the functioning of the platform, improve your experience, and offer services aligned with your preferences. The categories used are:

12(a) Essential Cookies

Necessary for authentication, security, session maintenance, and basic operation of the Services. Cannot be disabled.

12(b) Performance and Analytics Cookies

Collect aggregated information on navigation, loading times, and system performance to identify product improvements.

12(c) Preference Cookies

Store settings chosen by you (language, region, device).

12(d) Marketing Cookies

Used only with your express authorization for campaigns, promotions, and personalized recommendations.

Cookie Retention

Cookies remain active until expired or deleted by the user, typically between 30 days and 12 months, depending on the category.

13. International Data Transfers

Bullet operates globally; therefore, your data may be transferred, processed, and stored in countries where Bullet or its partners operate, including Canada, Brazil, the United States, Dominica, and others.

Legal Basis for International Transfer

Under LGPD (Art. 33) and PIPEDA, transfers are conducted based on: countries with an adequate level of protection, such as Canada; contracts or standard contractual clauses with commercial partners; performance of a contract when necessary for providing Services; compliance with legal obligations, including requirements from FINTRAC, ANPD, or other competent authorities.

Safeguard Measures

All transfers follow:

  • Environment segregation and granular access control
  • Contractual clauses addressing privacy and confidentiality

14. Anonymization and Pseudonymization

Bullet implements anonymization and pseudonymization techniques to protect personal data whenever possible. This includes:

  • Automatic masking of sensitive data in the "Clients" module
  • Pseudonymization of identifiers in internal reports
  • Masking of documents and photos for profiles without elevated permission
  • Irreversible anonymization for statistical or operational purposes

Anonymized data is not considered personal data under LGPD and PIPEDA.


Bullet Payments and Financial Services Ltd.
578 – 2912 WEST BROADWAY – Vancouver – BC – V6K 0E9 – Canada

© 2025 – Privacy Policy