This Privacy Policy ("Privacy Policy") is an integral part of Bullet's General Terms and Conditions of Use and describes how Bullet and its subsidiaries, affiliates, related and parent companies (collectively referred to as "Bullet") process your personal data in connection with the Services, in compliance with applicable legislation and, in particular:

• Personal Information Protection and Electronic Documents Act (PIPEDA) – S.C. 2000, c. 5 (Canada)
• Lei Geral de Proteção de Dados (LGPD) – Law No. 13.709/2018 (Brazil)

Bullet values the security and privacy of your information and has therefore developed this Privacy Policy to ensure transparency regarding the processing of your personal data.

IF YOU DO NOT AGREE WITH THE PERSONAL DATA PROCESSING CONDITIONS SET FORTH IN THIS PRIVACY POLICY, WE WILL BE UNABLE TO PROVIDE OUR SERVICES. THIS MEANS THAT BY USING THE SERVICES PROVIDED BY BULLET, YOU FULLY AGREE TO THE TERMS OF THIS PRIVACY POLICY. THEREFORE, PLEASE READ IT CAREFULLY AND, IF YOU HAVE ANY QUESTIONS, CONTACT OUR CUSTOMER SUPPORT SERVICE.

1. WHO WE ARE

1.1 Bullet is a trademark owned by BULLET PAYMENTS AND FINANCIAL SERVICES LTD., a limited liability company headquartered in the city of Vancouver, Province of British Columbia – BC, located at 578-2912 WEST BROADWAY, Postal Code V6K0E9, Canada, registered under number BC1506717, and the controlling entity responsible for processing your personal data. The Bullet platform is available exclusively through the URL: https://bullet.cash.

MSB Registration: C100000796 (FINTRAC – Canada)

1.2 To ensure transparency and accuracy in its rules, Bullet may amend this Privacy Policy at any time. If changes occur, you will be notified by email and/or through a notice in our App. If you do not agree with the changes, you must stop accessing the website and using Bullet's services. If you continue to access the website and use the services after such changes, you accept and agree to the updated terms of the Privacy Policy.

1.3 Data Protection Officer (DPO) / Privacy Officer: Name: Victor Araujo

The DPO/Privacy Officer is responsible for:

• Ensuring compliance with PIPEDA (Canada) and LGPD (Brazil)
• Receiving and responding to privacy inquiries and complaints
• Communicating with the ANPD (Brazil) and the Office of the Privacy Commissioner of Canada
• Advising on data protection practices

For privacy-related matters: atendimento@bullet.cash

2. HOW DOES REGISTRATION ON BULLET WORK?

2.1 Bullet collects the personal data necessary, as listed below, to properly provide its functionalities and comply with legal obligations. By registering and using the Services, you provide Bullet with personal data, which will be processed in accordance with this Privacy Policy and may be used in the situations and for the purposes described herein.

2.2 Users under eighteen (18) years of age must not use Bullet. If we become aware of registrations made by minors, their personal data will be deleted from our databases and their accounts will be canceled.

3. WHAT PERSONAL DATA IS COLLECTED?

3.1 Bullet may collect your information in various circumstances:

(a) To register in the Bullet App, you voluntarily submit and expressly authorize Bullet to collect and process personal data such as:

• (i) full name;
• (ii) tax identification number (CPF/SIN);
• (iii) email address;
• (iv) phone number;
• (v) date of birth;
• (vi) full address.

(b) For services or transactions involving additional legal and regulatory obligations, additional personal data may be required, such as:

• (i) copy of driver's license, ID card, or another identification document;
• (ii) proof of address;
• (iii) user photo (selfie);
• (iv) proof of income and tax returns, including income tax declaration;
• (v) other data and documents required by authorities and regulatory bodies.

(c) To enable financial transactions, we may request banking details, such as:

• (i) proof of relationship with financial institutions;
• (ii) identification of financial institutions, branches, and bank accounts;
• (iii) PIX transfer keys;
• (iv) other data necessary to carry out transactions.

(d) For participation in exclusive promotions offered by Bullet, including platform nickname data.

3.2 Bullet is not responsible for the accuracy, untruthfulness, or outdatedness of the information you provide, but we commit to correcting it upon request, as required by law.

3.3 This Policy does not apply when you click on a link and are redirected to third-party websites, Bullet partners. In such cases, we recommend that you read the third-party website's privacy policy before providing any personal data.

4. WHAT TECHNICAL DATA IS COLLECTED?

4.1 You also authorize the collection of the following technical information:

• (i) access IP address;
• (ii) access time;
• (iii) date and time of access;
• (iv) device type;
• (v) pages visited;
• (vi) language used;
• (vii) your location;
• (viii) roaming tracking;
• (ix) software crash reports;
• (x) browser type.

4.2 We use anonymized personal data to produce statistics, studies, research, project planning and surveys relevant to Bullet's services and user behavior. We also use anonymized data to manage risks and detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities, pursuant to applicable terms of use.

4.3 For promotional purposes of Bullet's products and services, you may choose, at registration, to authorize or not the use of your data for this purpose, ensuring that your consent is given freely, informedly, and unequivocally. If you agree to receive marketing, you may opt out at any time by contacting Bullet.

4.4 In addition to the data provided for the purposes described above, you also authorize Bullet to use your preferences to notify you of new services that may be of interest to you.

5. PURPOSE OF DATA PROCESSING

5.1 When you contract Bullet, you provide the personal data necessary to enable the operation and provision of Services. We also collect data to comply with legal obligations, based on your consent, and to meet Bullet's legitimate interests.

5.2 Legal Bases for Data Processing

In accordance with LGPD (Law 13.709/2018, Art. 7) and PIPEDA, we process your personal data based on the following legal grounds:

(a) Performance of a Contract (Art. 7, V LGPD) Data used for: processing financial transactions; managing your account; providing the contracted services; billing.

(b) Compliance with Legal or Regulatory Obligation (Art. 7, II LGPD) Data used for: compliance with FINTRAC (Canada), Central Bank of Brazil, COAF; identity verification (KYC); anti–money laundering and counter-terrorism financing (AML/CTF); retention of records for 5 years; compliance with court orders.

(c) Legitimate Interest (Art. 7, IX LGPD) Data used for: fraud prevention and detection; system and transaction security; risk analysis; product and service improvement. You may object to processing based on legitimate interest.

(d) Consent (Art. 7, I LGPD) Data used for: marketing communications; sharing with non-essential business partners; non-essential cookies. You may withdraw consent at any time.

5.3 Whenever the purpose of processing changes in a manner incompatible with the original consent, you will be informed in advance and may revoke your consent if you disagree. Bullet only processes personal data when there is a legal basis to do so.

5.4 The data listed in item 3 is used by Bullet exclusively to:

• (i) identify you and validate the data provided;
• (ii) enable financial transactions between you and Bullet;
• (iii) include your data in Bullet's services/products;
• (iv) provide the service properly;
• (v) billing;
• (vi) contact you to address requests and inquiries;
• (vii) assess whether you are over 18 years of age and eligible to use Bullet;
• (viii) contact you about Bullet's services and third-party services that may be of interest.

5.5 The data listed in items 3 and 4, including payment and financial transaction data, are used exclusively to:

• (i) improve your user experience;
• (ii) validate your identity, ensure security, conduct risk and fraud analyses;
• (iii) comply with regulatory obligations, including customer identification and prevention of money laundering or terrorist financing;
• (iv) fulfill Bullet's legitimate interests in delivering its services.

5.6 In addition to the purposes and legal bases described above, certain activities will only be carried out with your consent, such as promotion of Bullet's products and services and those of third parties. At registration or at any time while you are a user, you may choose to authorize or not the use of your data for this purpose.

5.7 Processing will be carried out in accordance with the law and will end when:

• (i) the purpose is fulfilled or no longer necessary;
• (ii) the processing period has ended;
• (iii) you request its termination;
• (iv) required by competent authorities.

5.8 While processing is ongoing, all personal data provided to Bullet:

• (i) will be stored in a secure database with controlled access restricted to authorized personnel subject to confidentiality obligations;
• (ii) will be used exclusively for the purposes for which you consented or were informed;
• (iii) will comply with applicable legal requirements.

6. SHARING OF PERSONAL DATA

6.1 To carry out financial transactions with banks and payment service providers, Bullet may share data and retain transaction records.

6.2 Bullet may also share data to comply with requirements from public and/or regulatory authorities, including:

Canada: FINTRAC (Financial Transactions and Reports Analysis Centre of Canada), Office of the Privacy Commissioner of Canada, judicial and law enforcement authorities.

As a registered Money Service Business (MSB), we are legally required to report certain transactions and maintain records. Data may also be shared with third parties to enforce our terms of use or any other contracts, in line with our legitimate interest.

6.3 Bullet may share personal data with service partners to enable contracted services, such as:

• Cloud hosting and infrastructure providers
• Identity verification and KYC service providers
• Payment processors and financial institutions
• Fraud prevention and security services
• Communication service providers (for transactional communications and, with your consent, marketing communications)

All service providers are contractually required to maintain confidentiality and use the data only for specified purposes.

6.4 If you request correction, deletion, anonymization, blocking of data, or withdrawal of consent, we will inform our partner companies with whom your personal data has been shared so that they may take the requested actions.

7. DATA SUBJECT RIGHTS

7.1 As the owner of your personal data, you may, at any time and upon written request:

• (i) confirm the existence of processing;
• (ii) access your data;
• (iii) correct incomplete, inaccurate, or outdated data;
• (iv) anonymize, block, or delete unnecessary, excessive, or unlawfully processed data;
• (v) transfer your personal data to another service provider;
• (vi) delete personal data processed with your consent;
• (vii) obtain information about public and private entities with whom we share data;
• (viii) obtain information about the possibility of refusing consent and the consequences;
• (ix) revoke consent for processing personal data.

7.2 To exercise any of your rights, contact us: Email: atendimento@bullet.cash

Response Time:

• Brazil Users: 15 calendar days (LGPD Art. 18, §1)
• Canada Users: 30 days (PIPEDA)

Identification Required: To protect your privacy, we require proof of identity (government-issued photo ID) before handling access, correction, or deletion requests.

Cost: Most requests are processed at no cost. For extensive or repetitive requests, we may charge a minimal fee to cover costs and will inform you in advance.

Format of Response: We will provide your information in a comprehensible format (PDF or another requested format).

7.3 There may be cases in which your request cannot be fulfilled (for example, we may retain and use data processed with consent as permitted by law). In such cases, you will be informed of the reason and provided with the relevant contact information.

Limitations on the Exercise of Rights: We cannot comply with requests when:

• Data is necessary to comply with a legal obligation (e.g., 5-year retention for FINTRAC)
• Data is necessary for the regular exercise of rights in judicial proceedings
• Data is protected by professional secrecy
• Deletion would be impossible or require disproportionate efforts (LGPD Art. 18, §3)

7.4 If you wish to exercise any of the above rights, or in case of questions, suggestions, or complaints, contact us at atendimento@bullet.cash. Your account will be closed after your data is deleted. We will retain communications with you as required by public authorities or competent bodies, including for legal defense purposes.

8. RETENTION OF PERSONAL INFORMATION

Bullet retains personal information only for the time necessary to fulfill the purposes for which it was collected, comply with legal/regulatory obligations, and preserve rights in judicial or administrative proceedings. The retention periods below comply with applicable laws in Canada (PIPEDA, FINTRAC) and Brazil (LGPD, Central Bank, COAF).

(a) Transaction and Financial Records: Minimum of 5 years Legal Requirement: FINTRAC regulations (Canada) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and, in Brazil, Resolution BCB No. 277/2023, Circular BCB No. 3.978/2020, and Law No. 9.613/1998 (Art. 10, I) require MSBs and financial institutions to retain transaction records, KYC documents, and AML/CTF records for at least 5 years from the date of the transaction or termination of the relationship.

(b) Account Information: Duration of relationship + 5 years Purpose: Contract performance and legal defense in compliance with FINTRAC obligations.

(c) Marketing Consent: Until consent is withdrawn After withdrawal, we will immediately stop marketing communications and suppress your contact information.

(d) Security Logs: 12 months Purpose: Security incident investigations.

(e) Anonymized Data: Indefinitely Anonymized data is no longer considered personal information under PIPEDA and LGPD (Art. 12).

Secure Destruction: After the retention period ends, we securely and permanently destroy personal information through secure deletion or physical destruction, unless longer retention is required by law.

9. SECURITY MEASURES TO PROTECT THE USER

9.1 Bullet will always take appropriate technical and organizational measures to protect your personal data to the greatest extent possible. Various industry-standard security measures are adopted to protect your information, which is stored in a secure and confidential database.

Technical Measures:

• Access Controls: Multi-factor authentication for administrative access; role-based access control
• Network Security: Firewalls, intrusion detection/prevention systems, 24/7 monitoring

Organizational Measures:

• Confidentiality Obligations: All employees and contractors sign NDAs
• Security Training: Mandatory privacy and security training for all staff
• Vendor Management: Data processing agreements with all service providers requiring protection equivalent to PIPEDA and LGPD

9.2 Your account will be protected by credentials chosen by you so that only you can access your personal information and Bullet account. Because the password is confidential, Bullet advises you to keep it safe and never share it, ensuring access is exclusively yours. You acknowledge that you are solely responsible for managing your access credentials.

9.3 Use strong passwords and avoid accessing your account on third-party devices or public networks. Bullet will never request your password or access PIN, nor will it send executable files for download. Bullet cannot be held responsible for unauthorized access resulting from user negligence.

9.4 The operation and security of the devices and networks you use to access our Services are your sole responsibility. To ensure a secure environment, we recommend taking reasonable security precautions (such as using antivirus software, in addition to measures suggested by device manufacturers and software providers). If you suspect your personal data is at risk, contact our support channels for assistance.

10. SECURITY SAFEGUARD BREACH – NOTIFICATION

In accordance with Section 10.1 of PIPEDA (Canada) and Article 48 of the LGPD (Brazil), if a security safeguards breach occurs that creates a real risk of significant harm to individuals, we will:

(a) Notify affected individuals as soon as possible, including:

• Description of the breach and personal information involved
• Date or period of the breach
• Steps we took to mitigate the risk and prevent future breaches
• Steps you can take to reduce risk
• Contact information for inquiries

(b) Report the breach to the Office of the Privacy Commissioner of Canada (OPC) and the Brazilian National Data Protection Authority (ANPD):

• ANPD (Brazil): Notification within a reasonable period, up to 2 business days from awareness of the incident (Art. 48 LGPD)
• OPC (Canada): Notification as soon as feasible (PIPEDA s. 10.1)

(c) Notify other organizations if they may help reduce the risk of harm.

"Real risk of significant harm" includes risks such as: bodily harm, humiliation, damage to reputation, financial loss, identity theft, or negative effects on credit records.

Recordkeeping: We maintain records of all breaches for 24 months, available to the Office of the Privacy Commissioner and ANPD upon request.

Reporting Suspected Breaches: If you suspect a security breach, contact atendimento@bullet.cash immediately.

11. COMPLIANCE WITH FINTRAC AND ANTI-MONEY-LAUNDERING REGULATIONS

As a registered Money Service Business (MSB) in Canada, Bullet is subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and FINTRAC regulations.

Our Legal Obligations:

(a) Identity Verification: We must verify the customer's identity using government-issued identification before providing services (Know Your Customer/KYC requirement).

(b) Record Retention: We must retain records for at least 5 years, including identity verification records, transaction records, and correspondence.

(c) Transaction Reporting: We are required to report certain transactions to FINTRAC without your knowledge or consent:

• Large Cash Transactions (CAD $10,000 or more in cash)
• Suspicious Transactions (any amount related to money laundering or terrorist financing)
• International Electronic Funds Transfers (CAD $10,000 or more)

Information Reported: When required to file a report, we disclose your identifying information, account information, and transaction details to FINTRAC.

Consequences of Non-Compliance: If you do not provide the information required for FINTRAC compliance, we may be unable to open an account or process certain transactions.

For more information: www.fintrac-canafe.gc.ca

12. COOKIES AND TRACKING TECHNOLOGIES

Bullet uses cookies and similar technologies to ensure the functioning of the platform, improve your experience, and offer services aligned with your preferences. The categories used are:

(a) Essential Cookies: Necessary for authentication, security, session maintenance, and basic operation of the Services. Cannot be disabled.

(b) Performance and Analytics Cookies: Collect aggregated information on navigation, loading times, and system performance to identify product improvements.

(c) Preference Cookies: Store settings chosen by you (language, region, device).

(d) Marketing Cookies (Optional / Consent-Based): Used only with your express authorization for campaigns, promotions, and personalized recommendations.

Retention: Cookies remain active until expired or deleted by the user, typically between 30 days and 12 months, depending on the category.

13. INTERNATIONAL DATA TRANSFERS

Bullet operates globally; therefore, your data may be transferred, processed, and stored in countries where Bullet or its partners operate, including Canada, Brazil, the United States, Dominica, and others.

Legal Basis for International Transfer

Under LGPD (Art. 33) and PIPEDA, transfers are conducted based on:

• (a) countries with an adequate level of protection, such as Canada;
• (b) contracts or standard contractual clauses with commercial partners;
• (c) performance of a contract when necessary for providing Services;
• (d) compliance with legal obligations, including requirements from FINTRAC, ANPD, or other competent authorities.

Safeguard Measures

All transfers follow:

• Environment segregation and granular access control
• Contractual clauses addressing privacy and confidentiality

14. ANONYMIZATION AND PSEUDONYMIZATION

Bullet implements anonymization and pseudonymization techniques to protect personal data whenever possible. This includes:

• Automatic masking of sensitive data in the "Clients" module
• Pseudonymization of identifiers in internal reports
• Masking of documents and photos for profiles without elevated permission
• Irreversible anonymization for statistical or operational purposes

Anonymized data is not considered personal data under LGPD and PIPEDA.

Bullet Payments and Financial Services Ltd. 578 – 2912 WEST BROADWAY – Vancouver – BC – V6K 0E9 – Canada.